1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2024, 19:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
Size

4.7MB
MD5

f7e93686e2ae581bd1f71c106d587a31
SHA1

9f5e6287851e9df0d16d82c4e2bd4b987f69c808
SHA256

1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56
SHA512

80e0fdb0f25cec6b2eda9fb5acc617270bbd89301b36dfb61ee7f47a2e555de7d5de6e7ec3ab1b06f986a69b88c4c86473fd15a28e09bc65797dabb79f1e2d68
SSDEEP

98304:l5tEsszPCGTs3RAW8oYBHspDfuvmeNPLRcPyEeh/KgA:OssbCGo3yW8oLfZeNjR2ehCg

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
64	alg.exe
3372	DiagnosticsHub.StandardCollector.Service.exe
3356	fxssvc.exe
2996	elevation_service.exe
2924	elevation_service.exe
5036	maintenanceservice.exe
832	msdtc.exe
4136	OSE.EXE
740	PerceptionSimulationService.exe
1100	perfhost.exe
1364	locator.exe
1628	SensorDataService.exe
1924	snmptrap.exe
400	spectrum.exe
2592	ssh-agent.exe
4080	TieringEngineService.exe
1812	AgentService.exe
3564	vds.exe
1160	vssvc.exe
1260	wbengine.exe
1396	WmiApSrv.exe
2112	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7970c28816be280c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\System32\alg.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\locator.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c859d745a3d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc682846a3d0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ae88345a3d0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000089c36547a3d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f1dc047a3d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0b1d146a3d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001df06f46a3d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052c5fd45a3d0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071407e46a3d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a356c45a3d0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
3372	DiagnosticsHub.StandardCollector.Service.exe
3372	DiagnosticsHub.StandardCollector.Service.exe
3372	DiagnosticsHub.StandardCollector.Service.exe
3372	DiagnosticsHub.StandardCollector.Service.exe
3372	DiagnosticsHub.StandardCollector.Service.exe
3372	DiagnosticsHub.StandardCollector.Service.exe
3372	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
Token: SeAuditPrivilege	3356	fxssvc.exe
Token: SeDebugPrivilege	3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
Token: SeRestorePrivilege	4080	TieringEngineService.exe
Token: SeManageVolumePrivilege	4080	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1812	AgentService.exe
Token: SeBackupPrivilege	1160	vssvc.exe
Token: SeRestorePrivilege	1160	vssvc.exe
Token: SeAuditPrivilege	1160	vssvc.exe
Token: SeBackupPrivilege	1260	wbengine.exe
Token: SeRestorePrivilege	1260	wbengine.exe
Token: SeSecurityPrivilege	1260	wbengine.exe
Token: 33	2112	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2112	SearchIndexer.exe
Token: SeDebugPrivilege	3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
Token: SeDebugPrivilege	3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
Token: SeDebugPrivilege	3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
Token: SeDebugPrivilege	3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
Token: SeDebugPrivilege	3844	1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
Token: SeDebugPrivilege	3372	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3868	2112	SearchIndexer.exe	111
PID 2112 wrote to memory of 3868	2112	SearchIndexer.exe	111
PID 2112 wrote to memory of 5040	2112	SearchIndexer.exe	112
PID 2112 wrote to memory of 5040	2112	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe
"C:\Users\Admin\AppData\Local\Temp\1a291955d12aa7b3d47cc10b3985640e1ba3eae5f9dee54fc046846817407b56.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1060

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2996

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:832

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4136

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:644

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1260

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3868
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3c74814ddd7d29e9f0f2b0aecbd1c019

SHA1
e2febff3e59322f48a9088cee3b6205407f4382f

SHA256
a2913446062c1b5715b775883ac2283bffa7158cc5fd367c4fb25369015aacd3

SHA512
d9ab46b40af709c6bef8e2cb5311663a33743bdc91599b1b42a467d952178e18f435d1a6ade7725884952ac5684a556ee748a93e1ffa926b469f0742b908c563

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
c962e47145be48c7635f457b56bfb530

SHA1
86883e3b66065ce51689bccf124de8e196971b9b

SHA256
130062be603981d017cf26ddf83902d6dbe87aa044eff1524d5c50c1dea4ea7b

SHA512
dec744350b595665165a79c3932f746ade18ab1488c23ea33975fac9393939d465552d6a6dc8932758f6cdaf0e2a8d68d85a2b21db696cd226b242590ef02fc4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
52c0397fcfda28252aa87990c88b0857

SHA1
562dd26cd4c64d48a4edbd9aa0dda15e8e24d40e

SHA256
b5f0276b3a5753cfc396c3a465d62ce6361d639758cfe3fef4c2f17b74abca58

SHA512
270ed3f0fdec0002c9923252748da7090b70386dfc7640cbb525a05df13b0e6f182a8ab3e538f1ecbdb31e3c238cb489b37ad3aab01aee21715205179953c914

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7c61341671721027936e1e2b16d55ef5

SHA1
7ab488c6b629a2a0d4d62ed3bec9696a13c3a30d

SHA256
0be7d318e4b627df49ae0ad604bd94f0c52fd534910f1366cbf4fdc512fe7637

SHA512
78a273c59fe115e1ef3b046a84b9c8af73932ee35e2b03bbbc014dfea866fb8bd2695508218fb3ee3f13c99ef88fb0ef3de5f872d66c4526cb3c639972dc7e75

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6f20bb7fe974ca7805c89146e0208e43

SHA1
87d181ca54c9b95c480e41203913502898169109

SHA256
ad8d15d06e3a139579a910c230b4972e09ba5c797928003a39498b12754ad4f7

SHA512
a211d6ef5d63fe1a9e06bf67420c743b0ed83a1271dea57de0ff7f672170e2720a6ae670d4afbb0c5f368b30214d63183a6266df10646efa7915bb7bf042455e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
68c22a959cf3a388af774b038fcd4ca9

SHA1
767de13582e168ec694999ae13c86f881dbd4866

SHA256
83416a3d6b2847482c2e53f0c2707a7d6f67c4df22905126f3e99683297947bd

SHA512
6e0ba7a5949c2c1c0a1924000f71069406a00ce8ecf60a695aa047981601defbd264ce46a98ff4eff2a3673592aaf2834623bab04effc1b832c08aacf184a48b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
2590b34f9935a392a863fd69868bec75

SHA1
bc7d036713d6df84888c9b539be683715ec3e58e

SHA256
9881178b38a343a0e777482d3026319d854abbfce80c81f30f425d97cbebad4b

SHA512
eeb7cd71c3573eb807e0477c3c5d54c9fc220b5bea8d2b82a4af9d08ff632c1da6f28013708aaa22d92507927437f5c677c028d1fa2a45eef95e2a43e98b0010

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6f56582fed22850f050529591a12ab16

SHA1
65edf4ebd52151c7d63d5c47bd10cf80876c3dd0

SHA256
379e6bab852bb08e2240d51889ecc2443c992532ee5d33f9f3d57b117dbecfb8

SHA512
9940fcecc7412f04cfaad3990bb81f7feb3a5648ded1222b838367a28b3992b6fdf2f10c3ccf6759a8bde4fc8c187b0021bf1f6ec70ec39afedebd0b4d1be2b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
27f5ba91db73645f16b218a18cf0f10b

SHA1
f5cb451323e50764a5f50bcac14524c7e016f824

SHA256
290bf5579446f6e2780b1e9ff87af7e5b1bd84ac9817c90018a799b85cb0cb68

SHA512
e29f816d6a9ef85961e927de63e1cf3258bdd8065128bf7a2289410b3e7d9ef8f57cd9ce9bcd386226367b09fed9779466185ae92a6640e7773a9473644c9dad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b5b872767026ed21a19985543ebeb71a

SHA1
5e8dfefb99c9abfb931354f0207a6937bda129fc

SHA256
80b76b8641e1b7237e7e4e4d646d5fdc9ca95809f739cd812903027356667f41

SHA512
8c1284c4105424a60e74e0250b76e31cc2605912d80ffd9293158716fb8c985e7b8a888c3e982f1f582ba8ab914eea9dbfc0b3e82b881e101aa73059ef01ad62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b451ee7da7679c87990201bb008cdf45

SHA1
7f55a582588781823251800ba424824d1de13ee6

SHA256
61500f684c3291523f1f54186ffa2814b157d482e6d0d06b7786d5d8484efa78

SHA512
9329d90dd0dbd91b00fff9d8b4518d37da7d9f03734297348af042c76d4c02a554c842aa457087823b9060ff2767f063dafab2306a94434cbbcd79d8c466a0af

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bac3e6ba0c71ca3c9900100db99c5a13

SHA1
ae20959e2f0143b12d76d58c83474a57be6fcb7e

SHA256
ed10dca6c1499bfc88dd2a8aa5d63c9dbe3c5b26d81cbb7dddc49ad2aa252a7f

SHA512
39bb80f59f0abef1149c36b6c4ce804227d1c1819c6b6acfc48510c35049be808308ebda6a37ae232c061222873e0d84a4cacf412c6cd83926f29b3534e7ad44

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
977cac80611eba9e9ebbf43d83a90e4a

SHA1
1b4ba649d0b5512aa264ca7899e4685ac38452c1

SHA256
46b49407c8518c086fae9119fc86879fb42d7179df508712b1fce55301bb71e8

SHA512
e018d0b55a2e39c1330c5f4c2754090537ce029662f9fb2005509f29fbc83580fa587a8b299fb9b63f1b7385be8c02d8d0d05c3da9866815ecc95fb4404d2c90

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
5ba6e84599e027609808fe3e6eba0da9

SHA1
104877237ef12b98995d2023ae1b60478cfdb220

SHA256
92e9033103ca19536d24758494fc618f01a01e9a42a7cb694d79dd96674c4b6f

SHA512
db5d1aad2ee55277398395062f53ccfc3de67331cc120533565bbcda65ec1e12f8dacf43948f3d5ce81724ad99230d871e9957e2f0188c90cb125a11eb6046a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7346728221f50a6abf16b9246fd024d3

SHA1
f458e521af19ef5a950fe8fc9455e3bfb1fad9f2

SHA256
4da3c4a0b5aeabc58cce29cef0018516c2d93d48f7e17defd36e3f6cc45b47e6

SHA512
35cd996e124b95ab24a035426b34a5fcb91a4305d7a5193b6f6ebae9fdd50c49ee5c88d973012fea2980a7fc03c8cca70fcc31d2f3955cd5adb7615e0aae91dd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
10ebccf835a74ce2146fd7f728677aa7

SHA1
4161582d4860437836c4440a234a1d77e6b8ffdb

SHA256
882d00e9346ed630964af3cda010c3ac4d12956f5bd39c4b24bfa6fbf5736f0a

SHA512
c28af870cdd4465ed90d188d8c5bb603009d49526ad3304ec2af6ddec8b1164a4c6f7502002b740e7af8ea3ceb4620391e1e020e1ff0e0da5abcc7c41a81388b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ce1f781b378f54de91ab6d7f7ff70b8a

SHA1
03c2dff1a784ac1edd78f18e7092605b84b962b1

SHA256
dba025de75aa6aee6f68ce22aa16ac8fe31189167957b382fdc3d8daffcb14c9

SHA512
1cb1bb3d44c752e8c2aa64bc53ed335938bb1c1cebe96b2d8d92d95046a6cb92a1ed71ae30378afeb226234566250a73eec01a53fad7a571b96a0d31abdc60fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0fd1a557cc7e2081bf19d8ce6391cb8e

SHA1
bcab176a37c25f0a693d924b606f5514925a233a

SHA256
5f75895eb823ad088003b00fe1c5d5b17567060adcd54de17c45480c1e9dff06

SHA512
f246c9a70e68561e944d888bcc28834861ac169180b7b940ec6da50332efcae1e7597146d0a9a8c798da8f4cc9bc2a9faa481ffcca2895aacffb48bc6b4cbe38

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a73afeefcb69f0e4282ac8c667a8b9e7

SHA1
cd5ec6ff104c1563064d6b0e63e5f34b33ac7a56

SHA256
5c6eb3b2b0fefdb07b1862a8ec77800d6900a3b3748921e29da7f38b07b55dd1

SHA512
3c92927700bb629ef03f845d01161e6f441e9efec50a135cd6347a7937a8cceea49b867e2d327365829a574f63a8c72f06221b3f661ec1b73c6c69911964707f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
9c0ca796bbacb483843a9efd7b99efde

SHA1
d058da51cc0a56bfe7144dbd4dcee415c2d56c86

SHA256
68b5bc442145c15e678e99d1ed07c362c63f3fbf559a012e2c2668597792b2df

SHA512
427ff678edcda51ba508cdb89d4666d47d8a233ded3f26230100940942b50b4f966631c8528979cb45a668876dcf3045a881aac228f203bd6bb983ffeed1a65a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b6a4349481a509fb88230c50e92e1411

SHA1
658a5d56310323d751d52b232b67659f348ac65a

SHA256
4df35883895086143ba64ac2fa2ba05b01720a33ca97e2cbb0e9fcfa7986bc42

SHA512
8b86fa20462d5d02ffcbbcf5ea4c898c4df1519efbae8eca9fc44aee0a6cfa2ce4841fe3962ce23647d59a4ff77777ea26bd096c29ed30b919ede7688e622b5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
c182fe724a8607514b95ae97d2424f69

SHA1
14a54edd2d1501dded233b21722a2e7cd60717e0

SHA256
9b81710f2486dce969870168f77283d41b826439dfacf2eb3dd2d17386a40a50

SHA512
21d1cd6ce4b0c17489d8ce7d3800b93d36be454db78889c81a417addeb79f19392ccf3031fea6a42c759eed085c3fbd44ad51864b4ca597834a7106ef0b2d3d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
53ddf32da347875cf55378091dc692f6

SHA1
58f82af75326d4a72ffce9251d8b679e4cedb6c0

SHA256
9be5b5f5519e4afe59e35cd35f5f37f3e6d7227eb7c781cabc054984f1b9a57e

SHA512
b8399bb735c2f072d64794bf52efebb6bea82f05fa4191d400fa7ddc72c24f16ddedd6ac78e6180f4b12b14a52d0ae4bfb8b840df8529dd0c86d9ccdf5e65abe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
2b1357077c0e2a3240b559c0761b46cf

SHA1
2ddfd7dc00118d139ebd3412c6ff68a8e9437014

SHA256
8609e7520bb044a5805dfac967ee2614c1fa29020aa0dd60b0b37037da6b2443

SHA512
b4b472f757683228033f9064f95d4824abfeb93bb26f798174193c192260020a7f4be01439dabb2cb7c61eeac6d07613eae584fb7ddeba8d1de18a2f45fdc73e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
df214cb8d31d02d8d397c9c229190ca2

SHA1
00d5baf9e760e02b31f69741111bf50016bcf6ba

SHA256
8303395c8bc0d51964738c15a641580ebeecd93a8ba236ddeeac9b7ed203f065

SHA512
f237ee67efcbb2d77efe08435456310932b3d9a55678c4feaf6b930c161f20143cc644d5fd316ec50c9c7973bae99cee29ec5c92118564a229cbd0d0271f1400

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
a6fc2d010d7eea9084689a916386d165

SHA1
45a864325d4f4798a33d289c9dc483cfd8b8b895

SHA256
96f92d95ddfe43f69f66d8e6ccd4ecb284ce95f19c97eb8b75e22803da42ed25

SHA512
3e51a5125740bb6c7f636956f7b60ad9858c6b57a552ae5430476288424efcb24a00a6b9543c74e979be3d123ef8301962f48f815cd0b012b47173453b86517a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
136885cca8adcd135d75744de397a95f

SHA1
1e5bb65475174b14142e40027d0134e86f2acf8c

SHA256
552c3aac0a288ff580e60cf50d724d9bd51b27d6b469dd1be6f48ba899c2e0be

SHA512
e2edee7ab1bfbb0c458f694985e3a32c2d96d6f40eef1ff5a2f414054d745ab18173c5844f3de77fbd141f77074fd0d1f1a9ce850a6844606c197aed95eed757

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
965161cb5f4d7f346adbed0e9dd5f02d

SHA1
092856617a0afea2d98d575c8682f0a2557e49c5

SHA256
cc49f49888f29f2f1910bc9dd10337fa06c3204f51a4e943c1bdcb5afa64be35

SHA512
27e12e4871ccee68365a453023007793d032ef60481a64def6e3beff1f69c3c4439fc68def1502dd1ad947eb630c609cdcee22161f2b57f01d8273585147b26b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
bc2630ac90be0c6bb386bf76d243dd36

SHA1
b64acfd931f4400504754c5d8ad054b0f4317274

SHA256
9e18bbed991e16069f6faa32c02dc09808549e350b6a3dd449c5dc48383896e5

SHA512
cd27aba796a7c7007d8cd07f49a4bbb1b9450f182a6e7bdc3bafd7ae5bb4aac946e8546779c2b6e3e46d53f7d57c8eb682970c0cfbc25c72bf3f78d2f2a5e25e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
c9bb05ad3a1017a8aca52137347ea5ac

SHA1
30fc2a817fe179b4bd8e0f924f009c07a7a0aae5

SHA256
ad9581778256de6fb8225dd3552d91e1da873307ab5a2dc138a3b7d980554712

SHA512
019735ea4187ceab73714cbbe6ee528cb83835195acd6db78d00e7e663e3e700557b98fec19ce8bca060e4a717ea93925b9ac5317b1e528d85ae9319ff8f4b80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
7f2e0a1034f774f8c3be946ad6ac985f

SHA1
5670723aaa87b97de2bbacf9a984d3acf821adc8

SHA256
931f8ce7b5c02ef5888e8f83150acec28070fd51e822ff8f035f4e543fd1cfe6

SHA512
72e1654cb30cfcd9b3b0b34bd05c564855f3fbda1926de45e2a7d60f967c706f37e903ecb6df40b688a77ff65c3e40ed33df230cdbfa0b37e60a7f16a042d13b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
89c649426f4b51f5aa6d7ce361ceef70

SHA1
beaf8f0a3e4ab62043077a3e5aa5c776eb4a2e97

SHA256
0cad89b722d4b0cbd8aff342619c1994a4360234cfb424067393f420c43217a0

SHA512
8d1442760cd12312d892e95a6a596831fdb5ee70fa545f8d141ce0ad884a46c8ddb18d173495bea6597eceb33ba396290b86ded96de41ff6d697a83dc61242b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6e920f96b766c06b2d7648bea2e75f75

SHA1
8fcba37fc8babcfe72d8776b253e133e3f6c71a6

SHA256
e3f685a1f3ad83d4a2d162c46b0065d02cdc0a383a14877aad829612dbdda9bf

SHA512
750ba58dbed299775703955978a4b238761f06c35a20ab2fad3d5b536898231dac6f4dae96545f2589aa8cc94782e7ff1d1f2200a6323c21b2453df745d71840

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
8eeaa7416017553c602a0629b5c5b535

SHA1
86e8ecb6ff225b16bf573f6576a08e2efaf591ac

SHA256
108baf3b044111212d8b027290bde5fa8bc964bcf4effc42103c804c1752f25b

SHA512
c7c1e0da01aa0a1d03ef5615794449fb73f679472fa3f885bbac3c8c3dea06f036dabb72a3f3f95a2258c368a48a05d5b8a25b17701bb27d578798cec5dbe84a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
5184dbc237c5931eb0e1fbd8de7c8618

SHA1
f4f9bcbe968aa504e931431170c4acab6fa6ad79

SHA256
e9310d3ddf009678780a76dc42110fe42bebca67f21f8a537659776c712e1406

SHA512
834ca72c4c163fad2c3df97447bfce1cbafb038cb1ee0bf19784e70ed0deae54acd489aee29893b0b757e78e333e45d09bda294a2a76ef01319e0168f9ef987f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
c70cd56c2acb0d6f888cb20baf7bddf8

SHA1
2612d744bc2e019232a5188c5aac542fe581f0c7

SHA256
553633fdd7da20c89b88c4aafaaa04f845dd60ad33350b0f6cdb0e9920334e5b

SHA512
9f3462aedad11b2e1932c835e181e3f9423e532e3d010b88cd83dc398f49c99d4a9a1f3d76fe3179688f52ddee7a32fdcec55d2825622c14d47df039e42c5ba1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a39b62c091a8b9ee3a31205c81c3154a

SHA1
4060f6e6fb81f47cf9f62e0f207707a6b9cc8f2a

SHA256
82760fe7859c3a876d239ba36eca6c250b67dd772fa01cd309c0b938d320dadd

SHA512
078aa75708ce67c72f694772617ffb56387b2c811c066d3aa096beb563df96b55a0e65f9672c7a84bc4be8d570de4b65e4e4e95d49de57fa670a633d00cd1616

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
de35e21731de984a372268bca4f347a9

SHA1
694613b0d02634bf8133530d8d63553c75133d7d

SHA256
b18fa0466f886914b85e4baa4fea389d45b8bef7b784dcfdc418e1f870946afd

SHA512
cbd684c245d169628b9c6352f53c83baf939a79e231c10c12dd5ab9ffa31c6ca978ab9900c52d9ec6536cbcab09a2ad007f2ccd44f9621bfc4d6a349f2741756

Download Submit
C:\ProgramData\Norton\FSDErMgt\ErrMgmt\SQCLIENT.dat

Filesize
3KB

MD5
799950df336606763f6474c53c177acd

SHA1
b3e4fd6822e3b1b94440862ef709eac29b87c6c1

SHA256
9040ba7632568a9a7283231903f3870e703e13d9abb6c4a6f18205b3ff4dac2f

SHA512
fd714337c4cdac6da34d9b93a8d37a0836d0ae8ef459540c3689c240d916e38e2bcc79b9549115f88427b26eb89a5f7ffe2dac62b4a5140f63182e40147bea77

Download Submit
C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

Filesize
157B

MD5
4b785b74c64a46787e2b1797bbd4b4e3

SHA1
471e40b1b8bd436593dc6e50acc6a7db751e68bf

SHA256
4fb7cec0ee578ec8a926e43d8ed9b752c2191d7e558687cfcaa782911436d149

SHA512
a5a01062c238ead4c1e3461abcca45104110ad00ecd698813c85420e071869ef10ab437376fd606f2bb1e43cefa654597d1156c99a18481608a4284267a9e50b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4bc282d6cd57faffc8702e6853281361

SHA1
e96c620e60478ece1ad8cfc37ad9c5294ce73e59

SHA256
f53e80cc95fde25ef0e7ea21a7cb17d303b4caa88e63abf3af5a7bba0849f7bf

SHA512
323ef54bae39de7d6b97fa8afc4572455c2a916d301925b6d17740ff16e4b430bf0e6e23e7a05e600355ca0ed33693549d170a0fb167206cff5dd29d412008ff

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
61b2b6c790b670bce114993af0f09dc9

SHA1
7ae5b8585a4e922cbb511dbd2256ee99eca6802a

SHA256
8ea7a7c2243324ca829aea070bf1d44796ad1a39a214e434ca6e942f3a48be5c

SHA512
6eafd684eaa9dbab29935f84616daf2febebe2338eecf4b18f539726a4bf1ddc126b5754fad90aa89c0bbecef4eb78791c740976e11a1e6335b44ca73b36e7a8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
127d167e5d18b2cdf997ba40771dea12

SHA1
f7ca9a3261871128ef674293ac89d9e53a7e1c8c

SHA256
2ba78e5a69da3b762d17dfb0d6890230640b1599064ef06375e5c4b7f8cde8e2

SHA512
6dd8977185630266244c83592a6d36938ce2c630838e2755814e432e3afd6419c67bb4b7efb3e7716ac8ac40198292a94581c47ec7af46ee6541232c3453516c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cd8d7050d137ad95f52417acd265b0d1

SHA1
0570a1774becaceb7831cd55fb3dac9e2ee6db50

SHA256
d1d75eda82805a1f349ca644a78c525b730ce15e5c9daced6a940ec5d2a326a6

SHA512
9814b4561b803f73ee0d29729e8453e28703fc728aeb7e0cd1b274309138f2e7e50f0c54990e20f66efc3154096169124c67d7afd3d9d94a802c4bc2cb0a7ddd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e4ce87e23e9229a2644c6476b484d8b8

SHA1
b9cc244fefbc8d0c3f2a946de00e7842cb39253d

SHA256
b4b8b7749d8a772c57a053d404e5d1f1027c583d07757898bd8af3bd8351d6a4

SHA512
54da8e5ea0bdb590d731bc92af7dd25bbb96a11020ba5089178ed28bf210acd18c2247984eee833acfd4808b8980f0ffa9c3c0f4313546f33e7358c5a2f907f7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
619d5361daec7f6e3ff73fdc8f473370

SHA1
edd91c8e0735162c112efc3892e055122eaf1c18

SHA256
9e7e2a0aacf7758057f9c4b5c18edc91b607000ea297aa5b48faa8dd20196abd

SHA512
c927516d6e6711570ee0de4f22d9998aaa69c395b4a6c379140530d7340f968862ddbbc69a9eebe7c0fa516236933271b2769a6bdd5d2f7078b367f4fabf6093

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4e0355c1f7835f2a4642e8b4cc1b9859

SHA1
f15a01d492748ce854ca0963a21bf31568969df8

SHA256
50f806f8e1741316e3dd4ab91f2f4d19098ea3aec9f1bfce1f8e1e1ae1cc9962

SHA512
3caf97933f60c834101b4680c84b633e16e0997be828e501041ca1427b314a369d2d569cf378e2ffc8eb3ce246771b54c6812bf11a17ea9b898fe6cda15453c2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9180b09adcf84e64e2550ab20cf74f57

SHA1
fe75b23aeb4709c3c51d060be711e09e3fa23a46

SHA256
358c99196446d66c4b038b02ef4a6e39445192f68d93f4cf3fe8166ba9b96871

SHA512
7dc2f7cfaf84a5d1e628ae0a6bf4bcfbe97adfb1a9d22280595fa5e54ce2250cb5f2a904d6592a1047e28cd948841ee1ddbe4b999f41b543c8b426d8af4b164d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
79a1d2af3846afa8d6b97d05f55b6faa

SHA1
678b77c1f633fab49be660734c2d3affd1edb765

SHA256
4f57ea34ab928f7bbca604c5dacdbbf903d7d0b87218a008e78e237b74fd98c1

SHA512
881d96bc67ccf518db11e96ed7e85c5e238724137f8e60f9fb4ccce152c63c59660882f7042eedd7f232fc7fac46bf98806acc790afedde3cfa5716effbb741e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d0c80baf70d8119d85283e8b815e85a3

SHA1
db5338bd407835253ca622e283838687507e055d

SHA256
8ee905f5dc968c7e407aadbe4cfeeec07d41a7b7f8ea29384ea05b960b2d3181

SHA512
54181d0918c4085379db874118c544e99ec7b1131a1d446e594000621818dcd000c3b18cf2ba15f858f80f14bb08e72aadd46a102289130c391cf7eda11c35d9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
b500c36158cb18c6446594afc161cfcd

SHA1
be89a2ee60e67610d5ee27bc0c12a9505f02b677

SHA256
5bbd822150c3b7ffc1c8eeba288595cdfcecc4198b647d91fcba940a46dac678

SHA512
096560c366be2da9748a3d9116eb505f905a6517e5fca7295ad5c7c313f1d96a4d093b8b549746f7285fc3f29d4b248619dfb9241bcda5ec98df396ae0c08eff

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5606cd7f1fb361fcc5b4786dd3cea054

SHA1
103d2370f3ea3172c5101725e0e61667c19dd9e1

SHA256
9b7b134dd64e6bb0e8a21d28431f83d750c3cb5ae7bb16982c4014de119301aa

SHA512
bbe925f7c70f628ce389147ff86cf9230392215d9887f095f7e0c1c9b4ad1e8bb1d9a6696e80dc8d0db71cf0aadf4acd86b6eaac58d9174b87aa04a9fbbe11fa

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
10435126e245bb2b161b5550c62e844a

SHA1
6f919c63f2cf5ed8ba64f9e365b65d027cabe3d9

SHA256
35693a8fb4915d220945cd83151ce87fc5c2e74d21d3f6c5e3d2f6afb0777b4d

SHA512
eca18bf8dae91f7032a546bad1770571738615fb662efee66879140707a14ce1d959a6120c3dcb9004d52b8fea8f3a896105299634149acb743146343b268744

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b195718728c49c8773a1ed16baab0c13

SHA1
7f197ef51b037725c3340ba487c1482481085975

SHA256
b31562cc343df40d962ff6a7407ce51944b5e54b16265aee1d146748f788ba0a

SHA512
85acd16b407b3fe0ecc4ce9e3af290bd2c014f010aa21f9d96c29aada71b5a81d50751b957c216a867b91dd518dfdfd1419690dab9bacd778b6e2fa0466c0e68

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
aa7ba0c866d2206e3d18f080e936f30f

SHA1
32d2d0168312d53e2838e723fa8d926ec21df408

SHA256
6d22c1c2d2fae6a7f9b4677c7359f48416687fe2d739e311f59741131d52cb77

SHA512
63782584782442d40961157a112490d7fdb02ffcf980ba05994d4c2d0f9c289d78dfec4d8d65d1c3b91522c7373d667d4cc5a0f0bcfa65929bba0008334b2c3e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
10aa963f0e759a5710c62459aac39d7d

SHA1
6419b718150ab86ad7cddd97d6f00ca8dc5f63db

SHA256
83432606998611673972e32b60b7607dee664afeb19919e40aa579c8c5c84ed8

SHA512
3f42fd66b7fa4b7828a48f473dd9125fe3927008132ce0c36e4d453eb0ff6c93ac35ab2664c794d23c8798eb0a318c7288f7f04abe475a89664e6ac78df43202

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
763ad113c60816102dbc5eb2b95f20fd

SHA1
dc4db0fb2efb4d0165b453df66d39999e859af6d

SHA256
19a01a206064a50999a11d2ade0ec9c8466407ea6f75c8cc31868a6bf00c00a1

SHA512
7d9a8c03391fe9d5c4666a751263b2352096a8b635deac6f846ee6b60ee44e6b9faa2d59a6c775d334a51508cd52674745d2657436c0017f0174ef917297bdb9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
24c554fb60558d6b25484eed7171aac1

SHA1
51ac49d9d92c2dd41405b09272132bb95b07d1ab

SHA256
53f2b9e7e86e232f023d02cd57aca44958b2bf63b2b39192d880cacac52f4455

SHA512
569c0864953cdb4cd29664a8cf483e819e018c15b0d373baf497673a822484c28ad6e83aac8597a3a5a08fbb0fcd5d92e2829c835465285b5a5555e0965a05e6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
60eae578e8a385150451406c65a36371

SHA1
1fdce333b36874ee50d83f9e9e68f70092ebeb40

SHA256
42e8330aed433dbb956fc38bdcd8f3b547e96a4d1c654f29288b6518c407d9b7

SHA512
5e45c12b957af8e83b8ef605380d24f83dab7e7852700ed4d376fcb8846dbfa1375792c6040f936f294157ffd84bb1e57ed5c38249dbd7b017976f84f6fdeec5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2e274fbed4d0e9eb2c6f2b59537cad02

SHA1
5a9e77f28454681db95e4b589e7b89c0f8126b17

SHA256
23a54f45f3820c19ee3e2c148050df5d2e998a3003158a150333463a37fb9412

SHA512
44b1bbab5183720015080f965f797f106ea4fe255326de7dbf568e72602ed1eae66b2f36746d5ea283ffb450374dcef3c3097c2809bd09051a4710f0df8207b5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
d3a063f9907df9be64055c06f1c897df

SHA1
e72711c2a3009f966c293ac765d10828977d519f

SHA256
15bfe35d7643db8d3def20746d1b5bcd469490312cb02d414d4133217063920f

SHA512
5a22d948d0d8f3247446d598c8c58396dabfd6beb24c556c231ca178c0e2f8a262afd050198316f756849c3ae0df828ea849375141dbd4c23baa6b8d0e151c5f

Download Submit
memory/64-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/64-114-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/400-156-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/400-390-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/740-115-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/740-123-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/740-121-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/740-183-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/832-84-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/832-176-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1100-126-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1100-200-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1100-127-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/1100-132-0x00000000006C0000-0x0000000000726000-memory.dmp

Filesize
408KB

Download
memory/1160-513-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1160-195-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1260-201-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1364-137-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1396-514-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1396-196-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1628-368-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1628-140-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1812-179-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1812-177-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1924-144-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1924-385-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2112-199-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2112-515-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2592-473-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2592-161-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2924-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2924-160-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2924-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2924-58-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2996-151-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2996-46-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2996-54-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/2996-47-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3356-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3356-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3372-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3372-22-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3372-25-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3372-136-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3564-180-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3564-512-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3844-0-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3844-107-0x0000000000400000-0x00000000008C1000-memory.dmp

Filesize
4.8MB

Download
memory/3844-1-0x0000000002750000-0x00000000027B6000-memory.dmp

Filesize
408KB

Download
memory/3844-6-0x0000000002750000-0x00000000027B6000-memory.dmp

Filesize
408KB

Download
memory/3844-7-0x0000000002750000-0x00000000027B6000-memory.dmp

Filesize
408KB

Download
memory/4080-509-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4080-173-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4136-112-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4136-106-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4136-99-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5036-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5036-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5036-70-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5036-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5036-69-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download