27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
Size

2.8MB
MD5

935272bbb0dcaccf4b49cc74e1018a50
SHA1

7ab32c27fc798d634b9f8f1a166e13c65272759f
SHA256

27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122
SHA512

add68a604c2aed28ad53892bb0288dae2c696acba225618f6f3adad8301e5eed60f7981470f677e1fb2aec06343d3243a05a71f8b59758a1485dae6b77c12548
SSDEEP

49152:xtbIwL5D4Jc+b01tnAyB63TANQnMEx6Te8wTUDmg27RnWGj:/kPbiHW6ZvD527BWG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
860	DiagnosticsHub.StandardCollector.Service.exe
3284	alg.exe
980	fxssvc.exe
2540	elevation_service.exe
2464	elevation_service.exe
2964	maintenanceservice.exe
1856	msdtc.exe
4552	OSE.EXE
2856	PerceptionSimulationService.exe
5072	perfhost.exe
3244	locator.exe
768	SensorDataService.exe
2144	snmptrap.exe
5024	spectrum.exe
1728	ssh-agent.exe
1740	TieringEngineService.exe
2356	AgentService.exe
3068	vds.exe
1168	vssvc.exe
5064	wbengine.exe
4980	WmiApSrv.exe
4236	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\System32\vds.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\402200a020b56551.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\System32\alg.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\locator.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaws.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ee9f8aedc13db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048d323afdc13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd4cdcaedc13db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003286f6aedc13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000730814aedc13db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dadfdaedc13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eaf2c5afdc13db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ade193afdc13db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d28415afdc13db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a6f40afdc13db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
860	DiagnosticsHub.StandardCollector.Service.exe
860	DiagnosticsHub.StandardCollector.Service.exe
860	DiagnosticsHub.StandardCollector.Service.exe
860	DiagnosticsHub.StandardCollector.Service.exe
860	DiagnosticsHub.StandardCollector.Service.exe
860	DiagnosticsHub.StandardCollector.Service.exe
860	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2344	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
Token: SeTakeOwnershipPrivilege	2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
Token: SeAuditPrivilege	980	fxssvc.exe
Token: SeRestorePrivilege	1740	TieringEngineService.exe
Token: SeManageVolumePrivilege	1740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2356	AgentService.exe
Token: SeBackupPrivilege	1168	vssvc.exe
Token: SeRestorePrivilege	1168	vssvc.exe
Token: SeAuditPrivilege	1168	vssvc.exe
Token: SeBackupPrivilege	5064	wbengine.exe
Token: SeRestorePrivilege	5064	wbengine.exe
Token: SeSecurityPrivilege	5064	wbengine.exe
Token: 33	4236	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4236	SearchIndexer.exe
Token: SeDebugPrivilege	2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
Token: SeDebugPrivilege	2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
Token: SeDebugPrivilege	2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
Token: SeDebugPrivilege	2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
Token: SeDebugPrivilege	2768	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
Token: SeDebugPrivilege	860	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2768	2344	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe	82
PID 2344 wrote to memory of 2768	2344	27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe	82
PID 4236 wrote to memory of 4428	4236	SearchIndexer.exe	109
PID 4236 wrote to memory of 4428	4236	SearchIndexer.exe	109
PID 4236 wrote to memory of 3076	4236	SearchIndexer.exe	110
PID 4236 wrote to memory of 3076	4236	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
"C:\Users\Admin\AppData\Local\Temp\27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Users\Admin\AppData\Local\Temp\27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe
  C:\Users\Admin\AppData\Local\Temp\27b3da3ec892aaa861295d92e2cd0234da9885c9c71c80be8d9e0fd5076d9122N.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=80.0.3987.132 --initial-client-data=0x2a4,0x2a8,0x2ac,0x294,0x2b0,0x1401ba6a0,0x1401ba6b0,0x1401ba6c0
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3284

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4128

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1856

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2856

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2144

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5024

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4236
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4428
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e130c86a72fe639f267bff8b56574b75

SHA1
1ff4b7b19056646cefa4a2d2162c922d09bcfd48

SHA256
1603aaf189614579fd26c63480eb0df5550550c77f16cf7940fadb739fa5c90b

SHA512
9b6fd9773112c66b8c8c854239eb7f48fc6db24b1044da5540e4fc403cfa021b48a14eb6d4387d157e976607eb614c4bb669c04902578ff1b52ae5c2aa7c5243

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
ead053743521d3c83ec7059965fa205a

SHA1
75b3ffc1537de7fe54f121550d04a2bd4d5e8ada

SHA256
4735c1d17738646c9a69fe8e5e34ec80ccf6eec86b4139a6320e070ae6d48a5c

SHA512
7fa7fe3a02390907b5e00e26117b2aa820feba1c51590713a3411ab48e3c9bc9f440a375db72ec396d9123b960386642b994ccaf091bcf6ad3a4fa49d0ad30d7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
0775fa558a0bac7eb629ae19804050a2

SHA1
378e5acb88807a971b8687457c6ca31de02f7d90

SHA256
c85adc99eaf9df4e5ac11ed2d74099ce6ae981d3663ca298c77710fdab9f75a0

SHA512
9d555b11b722e69c75c4bcd2d32981dc4ed479b7176401b04ec4a76b71857d34455a03bbaa3b8be48b9a0d1726ec6a70752e374ddceae87d7fc8313760c611d6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
cc012af3ae0885f4b4c082efd53e2343

SHA1
c095b7ff7ee6b1c2d6cc63587f33e4f79aceaab3

SHA256
281fdca96a0cbb266a2253a876e993ec848746bfbb95ace77e0213b0cb9401a6

SHA512
b66056b8842bbae229355e77fd097b5b5ba64dc97b1c53f5cee637f63321a81c171b7ea74300c9359d5b6dc723af26ec2810e7c7f802567772d2622c51b79a3b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a4366c13c3f8fbe49af861fe0992b204

SHA1
a41ffe5a639152b12b51c34ee284ea413c13e6ea

SHA256
e933894c18b5a8be8a30854ef26ed393a5045ed658ab513ffaa4144a1a585e75

SHA512
3041b26cf3ec450901dbc975bcf399bfae236973f952c12b37edb6da5b7d3bae20401b22277b90143ce6bb85abc99d3ad93ddaa7d65a45f1aaf2f6d30029b966

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
b76db9290cc6396be57f4bc2ac7f394b

SHA1
17be0855357be4898255e2fc4af4cf1d8b316ae6

SHA256
ffe09d70f0eeb20ea2a98143396e5edd44e2c1902016c508225cc99c1ceeb8ae

SHA512
757c50eb11eed0890f6087ac5957555e6ee609e2b8ffa48be21e07477ddc61252e9d5e00da12ab286cca77dbf60871d1cee8cd562afc68fc03ad03adbf92b117

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
956131def6beb287fa876756a9e832b3

SHA1
515c5c2a443b84ec9a6a9976ea2a662b39957bf7

SHA256
56ecf7faa624aab2e6c6eb9ffead5229287cb2d19e5d5c6c0b19e14c64fc2996

SHA512
1f5035518eaa6ad6fc2fceb73f8edb6a0a749c893d741f0fce77dfadd775702a89f64f0462be80c26515a6683dd3d9d9c38bd82db0c6e8db38ca01de8f910d20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c0cc23221a71f931589042f571a9b94f

SHA1
f80cd12e91c43095ad010f89e4b52bfea38e5e19

SHA256
e37423b0fd57eec57f8ac51046c238acf657af62206addebfd1786122dfe30e6

SHA512
bdc51532362947e2e5e6729893cc5e822bb0629adcaf6fe35512737e9451aeef3cbd59fdb1d4f4e55df8046f23f8ed5c80cbe42a0fdb359e66f9c55788063845

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
9f0b80f979c306f28e0d22869de71f84

SHA1
8ccb55b04be85292f48c98e835d26976bffb4b0e

SHA256
42a5bc19d52b78b7a019081a9067a11987408dc2a57f702016e023a64b1758e8

SHA512
b82080711b15f5afe3c72110db09132ccb90a02414fbfb51bdb2d77ffcc98c99f8b33b255d0b263354a1c3f1436c8da2e061783c21fb30034ccfdcde7d0c4339

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1e2ff5bb619c634a748b440b0e7c9eb1

SHA1
100dceac4a7621fefa6d92ceb5adec24dcd49c45

SHA256
199696feb37b6958f843c679d424a4cd645cb7831756e6b72d5e7a72a1d07ab0

SHA512
9933fb77d91997786297ab321f3dd2dd8aaab1d89a72ed4e0c228f8af9f977ca43f1b410a0c674f09e3b9d06defe7ca1c6ae4fc5c1cf52d3dc360a2ef69fe387

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
068a3fb7873d8d2ae4ebe8ecad0be2cf

SHA1
27468890c318b6cc192d888166e0a941c4299a20

SHA256
146a2ea687a8de317bb8ce2e4442a95be8650067ca5f7450ab2e366903c6a961

SHA512
ea1bee6fff1f170a88fa277b75ead591b79b6beea81fd741d275fe6977b34f34e4ac599c7eed0bd7af1e87500c365997c6fffbe8b9a49b6d4c53785ad8c33d6e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6ddb72a5c8f66a1d7c03833a2bc7a448

SHA1
b5aecdbfdc40ddbd9262f0e2afaf1f43b26a167e

SHA256
4a75235d88b5d74a44789767e997acc72f790c2a92d141c0e26bbdc21be6d67f

SHA512
3ed96c036c6f1a23baf906a4eac023bcd71591434f2c6666eaea29f5682f2339695da8f37354c69733772da23eafb87c61ce17360cb80b66e8612a14241e88e3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
890fec16055c033f0bd6396be956d4eb

SHA1
8b40192eb6ab057d3c573ff37c2a0aee22b3643b

SHA256
38a94f2498a466cbd774daa625fbedcd3ecf42633072670e5b74bb0bfc56d836

SHA512
e29f476717c06b0667c11baf911c2b15b34948c5301c13bd5e585ce1f327e33dbe679e8f7a95cc9bea6d18ad6b6ec956e95a9708fef9961af7557cc9955f73da

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
896bf83d81fcfe14f99eb1a05343d520

SHA1
156c1db3e9e90289325704b6a2d44faefa181046

SHA256
21dd8f7a71cb1a1806c3e7650721dadbf4dd87b0b4e607bb5de566cbbda289d0

SHA512
b2ac84212f09222b0e60c38d5a8e83bc54d1199055235cca0d4c9ca92982b8a5a0b62e1628d96e761fd69a752109599cc45cabdfbf5869532ab8e060f71dfc14

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ecf692a7ac62772ea361aefcda7b5f1c

SHA1
ce61627ecc06bca010393e66c465d5153519f7be

SHA256
c05de5bdcf82bc78c36d8ab84ba948130ce219b53bb4d9d2d7af5724fe51cb48

SHA512
001aaf18b9fafe30374450340bd17a505a878ce803dc70dfb779b221ad480c03d29ca6666c951bdb92ecb4c568e1273acbc0a59bac11f65e95db50e1c0eb693b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
ed31f8109aa2b7fab8c69e9a1ac98012

SHA1
b25809a0531ecb04b6ccafa1a8af5d1a288d2d85

SHA256
56968ef9fa7db01eab3a0c1195b1a1d9bf68f72f12057510d9a0ef3647922382

SHA512
e5e8ab816a794a0a173fcc0a35571d0a38538311f1827bef3cf517ac5228fc444906e41ab4f2c73684ec5aa6b25a05f2d4f4a83982798934a97c00bba91f2a4a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
1042da36eabd01dabf3af2f6bd256c47

SHA1
1409779d20a592ba476509af0d731d21f441fa53

SHA256
e1c06ec1566d82d7a94580940cdce56344f17bd06ed597796f9393dc6c8be5b4

SHA512
6503a8f37ad35557632d2dfe5836aa176394cbeb4c9c50b9a2fc78e93bdedd982737b53ef4d7f172df94c1df167373e8c24f16540f92e6b082161615fbecbcb8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0c6c4e4801925aec504f92afba07e273

SHA1
d2938ae7bd616dd81dfc257056f1b0c14d9b78a8

SHA256
cb5522a10618fa0c8c918d5519b2013a825dd30a9cf246c117dcf19a5e075dce

SHA512
be0d2d9a0edd019c2e771bc5b7222ca05df5766823156bef6647575628696c5347caf3d43690c2ed7aeaf20b1d647fe90584148d0f2da0ea203b49b725e62635

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
84fd4ca6fa4d4dc9892dcf191cfdf8c7

SHA1
9ce379254317fc8b2be480f10c6c18a487b3a851

SHA256
6ab257dcffd6e852810f698405078d0cb63b203901e30c73633a83fcd45ea7f0

SHA512
75fbcfee1e8d535765401a8ec7f935d0792e6542fdf7a98c55bb685ce229cf3f760fe6396b95c11e8656b96c03a930422e6b925621104a57d5d248c2f1976288

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b5952f5254499eca59653c9e962051fc

SHA1
9178eebf4a26763653bff2124e111d0192f73205

SHA256
a8893cd266199f006ed5a616308bd39fb40f6768971982ac7de2d301722fab90

SHA512
afd2f75c4991b4d8dd3c778a160320882175dbe27a33b55722496cfc659ca0f7f7e74689442552226e462ea36d95fa5bb07c9d371dd3bef5531a148d3319f296

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
41fcad67568222c7e57bd0188fe0b38f

SHA1
11d82d11175a97cae6089f3a693b64d27733c535

SHA256
6d0ffc01a4a3f6715936d9d12ed73e14d6fb0efe1c7ae453c9f70a7cf40e1ddc

SHA512
b88dfddf3e32d20d84531fa6ae0522d9a1ea3be305e7d5a814831488070f49013e190fe07b19b485c71bf9a792b48dbd47b7e03d0d5413335b1efaf5b4df1f72

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
e792e396291e83d633edbfd42b7191ca

SHA1
d9ed5c1b3b7e5686c0dba1b8ecae6e60ee5cecd7

SHA256
050131d9b6b8bc0b45c2a6c95863e016bad69bd55819c6318d70d79c0ac80835

SHA512
4cb65f86639ca109b324830601e5447c171e72c6f8e73948f6c190a792f60bf8fc8ebe8bb0afa2bfd44fb80e2f90ae0e7002e4ff2696a9c7116a93014ae5981a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
f25391c21981a01d029aa78a95c03fbb

SHA1
950d374641102aae3291f84cdf9f20716842de26

SHA256
8c4247e5b5de8689b2e0e3ae9f469351056aec5c5c45c8f7d8f888cf3100d823

SHA512
ec19232e58d67f8234d7b1a7322730963e85ef9b2b1c04a0c6c6be6c4b1f5b45908b0882ac5dc98e35a0fc30c7e2e18d5728b15f08fe04a4a6f9fa133462daa9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
57797b612b6636561b8a834359a01363

SHA1
16eb6623396f2bd20f980bf5823b89691ee539bb

SHA256
ac06ce4671fae4641ec2a96fcc79df1f3a8a04e59682bd6549608d7fbeafb17d

SHA512
13b9f9e97a45fe077c8acab3cbfd004a425c1a996bef6b495e06f60d15ac736c300cfccf73b0059974960b8002e7168724995e6e556349a42a1e1ece238ec0a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
b62371821d91b7a8d6fbf82ec45fddca

SHA1
94db1beb71db30699e5e73391d381eed63ce4f54

SHA256
8a9f464a4c7086be5b0a004d72629c6e4d6d15a39604d4e2621c1e082fd92a38

SHA512
6a1131c887130647b99c862ec2307fa1688f3437baf641e69ec46c0b17080ab01f317719cdefd4a52e9cae346ebac746366974efb16667ab3406f3ec2783ad4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
961546995934c1c24f4310312f33b57d

SHA1
1084f50c4fb139a9af5b2423bd3cc5594bfe3dff

SHA256
eac6ae357c813ab888fa0f5471a8ebb76abc13924b495c8848cb9785136c9202

SHA512
8c82850897fdd00b37f8bf26a4df6c774d2038e1c5d0a1e8c5a6112d5c05967675890c40a3d923596f8c046519b0c6eefd3adfa1f57afc3bb89da542fb19f7a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
ca233de9658d37d6c4d912267292ef23

SHA1
19bd3c042bd7d4e2ab264f4bb9dddf5c0693cf16

SHA256
b0206c38b52fa847161d40f1cc2944005808d55b91218b7299569b23fc8843ec

SHA512
fabf01e00679b90a5296815fb29509b3e3e696a9f0fb8b53b4628208648d2a0d026f1e05c7c5cc8cd54aafcbc7acacf9271e395fb246de6a2bb4f6121a416205

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
4e27c6258c873e2879197563e4f6c359

SHA1
388589805194f545e81bb1fa5304dba3ff35b332

SHA256
72996cf5c1a06f29ec68c2b4570c8a3a5ceac3f00cf0a42b6a03ed5175a4aecc

SHA512
083100caa10e916dfa7978bd33b408c80998c481c09d69414ef7518c563dc9cbd81edd1347372f0325dc2032cdf256010f53aa3dfe5ff7f228ebff253efbd8f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
588b824402f9ed25c8b2b4b0905c2428

SHA1
2a833bae8fbf3888594590380768bbd82d65388b

SHA256
e397f6dc2c67fb21f5bddced3c7a2dcc10511880e7bfb2d86bb0949097d21ecd

SHA512
f3504a3e654a788dbc08fb847d98005566da2f458372dad19ea6d3b4532ef20e45fe249979bdf8bd03a620ca334987de1930d519e962f97ff73746fbe46cf15d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
39ef026752786923203cfd28ea8a85af

SHA1
3d712d1e56a0fa7453af9ae11defb790011d1ac2

SHA256
13e371f53d9720df663dcc4c1df3ff3b8762da3a22b30c110b84ba1d390d761d

SHA512
2c7331ed30dd285428eb3231956e0425bea63ee8445e4846ce6337fa2d1c67b0af29fac862a0febe56974ada7246b9e50328112820ff42830867caed86f412ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
fd737af4ba751a040fa19e667e6f91e0

SHA1
58fc7207ede0f0d8f99b3f33da54af9ac1d6a9a2

SHA256
fd9c403a68733b11f1af0745f6cc014ee396f1d7a48de5b29004c1c241541b7a

SHA512
f003af6c99c392385d071804fcd8a906d5476388983da52f0d03d8c47d2462b44b35a4e40ea5653a7352ed1b402dc1cb1f09b4549c30455d342754127969dded

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
8036afff6f4c4bdb46234178a4f37578

SHA1
37ecba2f276e0d464298c98221a179a13b9ce20f

SHA256
093c7fbb9d669314f6ad3f12f26805edec6d28003142dfbd3b936c497de1ee82

SHA512
53298087ccfec2211d92df506f523a8407b651950d50a1ba4ea95ddb3238543a48b33be4178d2c59c7678eae1a3cbf9d737c264f9d203f1fd8f759abe9ced98c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
0d2e488783b4395ca92989850d2e436b

SHA1
1b057c2dce6148bd22eae527017c56d506229aba

SHA256
b079d00c1d0fdb12818861cbb219f5ad595575e27af5a6b7beae15167eec7974

SHA512
459241908da5e68ce8cb2eac45d9bc73b9bacd7f22b16afe9cd4c0042d9405e51484fdccb4fe0415042488a5c596168e9e4487e68c7019bafd838cc01bf158aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
80a35e4ae40bcda3dc690ef944f0db16

SHA1
43b902152dc2172b17bb5dd7730baf82ce3d1ecc

SHA256
77d5306aa2a326e45f346c515cf53c20f7c98dad6cb1c844cfe16609162c2858

SHA512
374955764223ced01ac39a0ddea7afa1eb011d7249da5d144a8c1333b9227445f7025059c94401d3b597929fe9c6ff99328c9275b7cb28096a1ca288aed5e392

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
297d0f264eec8ef35fd88cafcc2ee7ae

SHA1
946ee6aa9a584eb8af175a8446cdafb4644b702c

SHA256
5201dff8d460eb7b129a06aa0374cfb4758a3d440fd8a0ce8916ca39dd5d81bd

SHA512
3c376bc60b2634b15f0e8bbf6e3916bb5c450ba925fe3534dd0ba46670f602c4e5956ee557afeaa4f7e3c405a7aac2915dc932fe2e6eadad8c6e6bd01bd4c10e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
167b9b271ba1cf538167cccacb047995

SHA1
14cf6cf587bb95fe7330e838fba352b558825f92

SHA256
cca94db033620f94590420a36514953fc18ec9e84357ff0dcd2f9dfd5d7f4ea3

SHA512
4a74367e9cdd90f94221cdf66d371be473da541cc0f3a19caeebe28d2b8505b1b19f7007b0884e52cb39eeae3fa37d3563ca3634593c362a7eaa920eae0342ba

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
a269bafe2621139ba50bb3f744823682

SHA1
fdd55ea2f46d5d7c169034d402a32bec2db3211d

SHA256
5bdc1e4f140bd2189ce35552f39c48e9e62e298182974dc4e3c401a0ca06a8a6

SHA512
a176ddeb5ce5674335b6695bdfd07c7a8fdd6ad908ef0e99c22d692af2f72e222c4f2c9ca0c582b7fd86588f04dcc96c3aa5a5876fbb357955aadd7d5a8b1af9

Download Submit
C:\Users\Admin\AppData\Roaming\402200a020b56551.bin

Filesize
12KB

MD5
def5be98cc688da6fba4954762763396

SHA1
54d1f0f4a917207bd022aa7ef830a215521f6111

SHA256
600fa98119a39340e1c3704fda24c185c30bcf69d84c179d4b07dfa6a89387e8

SHA512
21eb4772537a240201d29344596c4a621a9e9a28f7f5d1bce977455484b0ffd6b041bb9b1f9871cba85e671f0665e55860171a6ecd6cf983953204693fe585cf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
a54825760613952afc951a822120ac42

SHA1
5d1790e725e396ec9414e5f475e12445d0048c83

SHA256
bcadf18599fb02847ce5a3c1c548e3d7e72ddb1baf7869c4f808d6630bd63bfb

SHA512
99c7d947b1b42cbee8b788d21351119207c2fbac1ffe7b8cad57bd2c1f2b8a972674bb8f9e456bac592fb7f86bde48f644a1821fa56a3d3798bb6a9016c47d91

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9fac9d25abbcc3873a1ed2e7acf9a3b9

SHA1
cca034738cb660f59ff73ab1c575f71d694dc0ff

SHA256
46df1d8c651ae94123d9df46c3d3d581f38e44c43387f078dea0a1ddee61e0f6

SHA512
33e68cd085cb9868194decac8a22fa42d958e5534f9fa260a297c2e66e5f54aab473680f9d541f70224e943d231adad6d474e1ba5278e25dd099f0d8b714e71d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
eb6b5b13504191f92bb53fb15c3d8330

SHA1
20eba1a2864e784b1c6af69fb399dc437b8ab302

SHA256
5a2dd8f0913928018d33ec5a76dd909f4c6f544225665daf7fb99ab8b0308870

SHA512
93d967589c0932a1b5c5776a9d70dc34d5c06f1c37dd7b58602e7168096682db184a7a69c601a1c4ece9e6f297c79f508d24a529de4baf19b9414a4a674ea3ca

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f02501147f4d40fe238e62422fe555ba

SHA1
a2ded0123da38c4f2044f62a889f46f6ed4e6e6e

SHA256
34924bc7d411ff0f63a44695bad4d022ea34d6792e71ffabeddbeea378c8ed47

SHA512
9decc226dd63f3fcd0d2be4fc8ca1bebc20d4561b7520e5adbde2ddf7ffece5b45611489470163bf1dfca1103cd531f88e7a7e72c88c84bc7df74528d3ea8b3c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
c865b7bcc544293f77d471942a8f374b

SHA1
c1d2535815ff5eb6744fc32c5bc404a2ea2d4090

SHA256
f649bbf288c969fbfd8dbc9857ed0329c2bfbdcf5fff89c6f8cbb06ebaefaaea

SHA512
f66d30a1da1c27dc0d442859ec6d4266ca0ef18127705032e10be95e2e5a55b07e75836167d4f6b963e7445732782e39c0b1e681c95d5fa96684586d61647d43

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
e0892ae2fda34ff509a21b1b67bcfabf

SHA1
89659ed8813cf80f966e086d06207c43afec482d

SHA256
441878f50ec1efbf2109279eef1f57890294ab6df634c6ec3b75de27a795c911

SHA512
dd3d60cffe57a081426777bd9a714b8cc85bb4b6de7ec1d017d32f7e5f9c45f19876cf31153035e7b0f7fa37d3c12676d504c0ef77b693cb1f02307c311e7335

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
90dcacf218d5939a36f5061508c7e977

SHA1
ab81dc1c0484e005816bc7772f65315c0004f286

SHA256
47c306fc29e76075188da4a9c42a3ac1439f953db6c4c0b052d9bcf470b3e550

SHA512
1bb8677779d5347a021e5d78905b3d14509b5ad504199942fe1c164eb69496d28e90be0c52c0a7bc33c13e0463c42b4303a6de697afe14c639fc811fc30710af

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7d5d89d3e7ad44851e3c6c322c2484e6

SHA1
b59228fae6ed15e958cee0f44d040c8004342c0d

SHA256
383ea41d235acf74ce4e1e85d5bc9e0af73b27204eee346d860186a5d184da13

SHA512
1e605fd0a6fdfb83cb499e09c44c4cdc6b79aed04be6e5d0267ef0c088e2d3b58aeb8f49a3018cd5df3b32165a07373334a555322e5ea1b19f1cb307d1d3b843

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3a48c0b299a0d38c8784d812cd72ba38

SHA1
074ed1fc5e9c3afdc2e5536ab2b29ca522f200c1

SHA256
99d8de5e344b70745ed45524bf402f5863b191873e2b16b487ee2f18809a4eef

SHA512
9d08acd1df09465e186fbb1c981d5d6325e1b5889081454eb25bd24088b52f2c7d075598acab3876d6ebefabc27e52b456d3a65c328087ae5addc88408d1a5ee

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4cd28c47ccee8f455b963a95d403218c

SHA1
3678a0d9205955666ef51287cb8ed5eeb5ed7e24

SHA256
7fe05ef4bae34a2482f1cdae723f22c3672cf12a7587b22d6804d04318262ae1

SHA512
2af3159b8b804856b6031d0abe413f387c2e3296b3eb4eea4adbd312dae1966dd99e8cf992baeb552ea6e93268aacd22fc4dc7c197cdbd1deefbc2e55a275943

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
56d70e06925cd30aa10411cdaab6d28a

SHA1
4e9e78a1a9c5391071684fe4fdfac752a3c3a652

SHA256
de687af32b6fc5b454d5f1ac99d8e518d6d308b44b69f215cb88e75d30a2de02

SHA512
669a945fd40b0273d1b136875ac75ae106cd0330b4d2a43ed0c579ee6091f54c5ff783a09c75ed07c0cf6b85dca2afe38462e5ae96e53e6076b795adba1325bf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0a18f160b00655c032dbc0b07e16edb3

SHA1
d9fb9bc898a0c38474d318b973ca246248fce915

SHA256
186daa406363fdc99a9688ce38d360632ff1f099d5c919404e96ca4f67bd792f

SHA512
97338ce033d3c2461f8d28497e833f2e8f8a857e3ac5c8509dd26b84cfeb552be473cde585ea73888dd3537de484231c9bff2de684e70ffb480b811d945b64b5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
d70cb34312080d88a48178de27c91766

SHA1
6449760c7fc84136d99a47cfc6b926c51eb9a809

SHA256
a8d45c2f1433e13a55ca7627c9e2c407a954910b358d871569e9bb1571836106

SHA512
16ebd13d976ad5ad61297ca147a10a9707d6ca4e54f6586fd29115803d620864a518192e87b5ef6469d86db3a3eefb28645090d2c620d077dacbef3b1514d085

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
60e82ccf235761782a170302ac52d49b

SHA1
328d3c981039fa5a70e7c61a942e883e47eb2211

SHA256
9238372bd5373fe22d66c1a2332e98cc4bda4d1612ec586b42238ce4d16df77f

SHA512
e1762a45c6880790ff8a6e00d223c4cdb23b643e177fa60f33fa00a6d8a4e321d49ee1f7fb027e626c6a5ff071dbfeca63c1d46bb896e1ae9cced8eec724caa2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
64f04f0d5a55f79d917b661c5cf2b963

SHA1
5f9a469cd40abc15d97e2be5a60565b6762f0232

SHA256
66b4d1189403bb3b83229e00bf6130ee48f77b6f41351b554278d9166ac6e932

SHA512
68d4f4ecdb311e33f3e76af4633233d2e284ce44460e9ebe639855353a7fa257c23b7124228573a50012f35d5fac4acec4f7e2c8101b319e686c39096460677a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
da175a75e6d7eeb55d5776a2005aae5a

SHA1
3f8394c232d0e4b8c737f3a2a3e166c4bb5a8a10

SHA256
0192c6a42092a9b39b253dd0fa12cbbdc5aa5908fce5d4e60a07b997bc96df91

SHA512
f9158b5aeaa97d69d5769c33ba581db7e1f8cb941aa2b3957279b1cbfffb98d8ac4728dc29a7eb4b606d055367cad141ae4912307e49a670a65159e021ccb32d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
17e06b5f34d6b63f1919614131aa0cc2

SHA1
9916b5629edf86837e8ff45d2231db338f726200

SHA256
4c9fe89347533f15086fad09ead03e4aa4c68f061eb55d647d3e84076e34b2bb

SHA512
19a22cffd8ec077e88470d4e47c2c4ff225a89abc3a489566fac2dd391a0b4f0f32a13f6ed2d7ad2d135e8ee9e9742c899861eeff3cc3aaaad6ebf63eb22b3b5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
17d24e78d317501bd0b605018a08f355

SHA1
ecb1f5f3d6221f234a35ed86086557f6efeee374

SHA256
e2339de0447a4798f37ec84226dc9dd61db4be2319e2390686cb31cb5b0bfdba

SHA512
604323ff2f5ec9bc3256e7f5246f412d93f9d0b92f8d9e9b152022c8621fb76cd3da7f8ee04d11d3a9f3e0d48eb1afcb0c0f700a4dabbf10cc381f34c4d561ba

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b4428504a102626a87cd66d11ccb7527

SHA1
df17c2a9502229578c64c341f52fcb7a40d077b1

SHA256
e0d54a27f253b624d5bcc59eac44af91da2faf2ba2e60e08402bd3a3c0bdc45e

SHA512
06ecd10c668255d1454e45a8a10ee0807e228ea1e0dc1089ac6d89343ef0db075cbdc9f497708f3ee7b8657134e310397394dccd4a0f1cb4d6d947d9c04057b2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
de79b7294dc457d4ed4af1944d0c5b6f

SHA1
4d3483307807d4af8a824f951c354949c0357127

SHA256
de527a15516f59b23652913c62f7110d030213d2184aca6cf6754e09ae208d96

SHA512
69736658bb797bf9248ca93347703a24665817c928b9ed44b86330f8ba0c457c8808f8f4f6ead513d36963a646c8dc127984c9b6b3a38c9002844f163356056a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
286847646bc6130a435d62630a12f00c

SHA1
54bf8922f058e3335e12c00f386352d296e2b293

SHA256
7ea011ddd34a5a88a998a7e2b3f51bc6b0239e072dd3394f387b2dbbf219f6dd

SHA512
c7dfc41c6698709f832f456de7c7e0a178f293f356c8094e8c3bc0d113d6c457f9ecb2ff00a9452fbbd041cf43de9cd91f0ca150042b1758b221eca7f83ee6d5

Download Submit
memory/768-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/768-608-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/860-49-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/860-51-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/860-40-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/860-470-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/980-56-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/980-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/980-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/980-77-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/980-62-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1168-279-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1728-276-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1740-277-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/1856-319-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2144-273-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2344-9-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2344-2-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2344-26-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2344-0-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2344-23-0x00000000020F0000-0x0000000002150000-memory.dmp

Filesize
384KB

Download
memory/2356-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2464-611-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2464-87-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2464-81-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2464-318-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2540-73-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2540-75-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2540-67-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2540-605-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2768-20-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2768-468-0x0000000140000000-0x00000001402D1000-memory.dmp

Filesize
2.8MB

Download
memory/2768-21-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2768-12-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/2856-267-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2964-91-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2964-103-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3068-320-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3244-269-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/3284-52-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3284-50-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3284-33-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3284-506-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4236-317-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4236-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4552-211-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/4980-609-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4980-284-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/5024-274-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5064-283-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-268-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download