privateloader | 76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
Size

1.6MB
MD5

369745ad82fdafd37ad6d67e6e6a5428
SHA1

1c983ff448c6a160522377bad8caf2c80131acda
SHA256

20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998
SHA512

1a598a4d0f14d61869021b42ebc44a14e9bc308937ee53174a8fd665880b64366f31b28fe348cba972f2d15febd373b3885fae5ab727dc3f1cef1dabcb3eba71
SSDEEP

24576:Q7ww87NKA/lu60S/wOBlkB/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:kwtNf9/0SJBlkBLNiXicJFFRGNzj3

Score

10^/10

privateloader discovery loader spyware stealer

Malware Config

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://212.193.30.29/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

212.193.30.21

Attributes

payload_url
https://vipsofts.xyz/files/mega.bmp

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader

Executes dropped EXE 22 IoCs

pid	Process
3308	alg.exe
252	DiagnosticsHub.StandardCollector.Service.exe
3284	fxssvc.exe
2380	elevation_service.exe
1256	elevation_service.exe
5088	maintenanceservice.exe
3888	msdtc.exe
1616	OSE.EXE
3076	PerceptionSimulationService.exe
772	perfhost.exe
2076	locator.exe
884	SensorDataService.exe
4508	snmptrap.exe
4452	spectrum.exe
3212	ssh-agent.exe
2072	TieringEngineService.exe
644	AgentService.exe
4360	vds.exe
2144	vssvc.exe
3232	wbengine.exe
3060	WmiApSrv.exe
2156	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	pastebin.com
32	pastebin.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\vssvc.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\locator.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\AgentService.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\wbengine.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\dllhost.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\msiexec.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\System32\vds.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\310c2e91e5a029dd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\System32\msdtc.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\SelectConvertFrom.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\SelectConvertFrom.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7aa82a36055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b9164a26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000765569a26055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015c8bca26055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fa1b5a26055db01	SearchProtocolHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4440	schtasks.exe
3528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
252	DiagnosticsHub.StandardCollector.Service.exe
252	DiagnosticsHub.StandardCollector.Service.exe
252	DiagnosticsHub.StandardCollector.Service.exe
252	DiagnosticsHub.StandardCollector.Service.exe
252	DiagnosticsHub.StandardCollector.Service.exe
252	DiagnosticsHub.StandardCollector.Service.exe
252	DiagnosticsHub.StandardCollector.Service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
Token: SeAuditPrivilege	3284	fxssvc.exe
Token: SeRestorePrivilege	2072	TieringEngineService.exe
Token: SeManageVolumePrivilege	2072	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	644	AgentService.exe
Token: SeBackupPrivilege	2144	vssvc.exe
Token: SeRestorePrivilege	2144	vssvc.exe
Token: SeAuditPrivilege	2144	vssvc.exe
Token: SeBackupPrivilege	3232	wbengine.exe
Token: SeRestorePrivilege	3232	wbengine.exe
Token: SeSecurityPrivilege	3232	wbengine.exe
Token: 33	2156	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2156	SearchIndexer.exe
Token: SeDebugPrivilege	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
Token: SeDebugPrivilege	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
Token: SeDebugPrivilege	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
Token: SeDebugPrivilege	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
Token: SeDebugPrivilege	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
Token: SeDebugPrivilege	252	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2380	elevation_service.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 412	2156	SearchIndexer.exe	107
PID 2156 wrote to memory of 412	2156	SearchIndexer.exe	107
PID 2156 wrote to memory of 4024	2156	SearchIndexer.exe	108
PID 2156 wrote to memory of 4024	2156	SearchIndexer.exe	108
PID 2600 wrote to memory of 3528	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe	118
PID 2600 wrote to memory of 3528	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe	118
PID 2600 wrote to memory of 3528	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe	118
PID 2600 wrote to memory of 4440	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe	119
PID 2600 wrote to memory of 4440	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe	119
PID 2600 wrote to memory of 4440	2600	20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe
"C:\Users\Admin\AppData\Local\Temp\20177244bc6d226e096682dff996e09c9799cbf43bf2795a8483e25db137f998.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3528
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4440

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2888

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1256

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3888

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:884

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4452

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4660

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
77b1d3d043b06e7895b13f12c6fba312

SHA1
b9c7e5df71e731ccc499dddf665fc3fb79fe5bc0

SHA256
4a0727117135a1c0cf928420f1a4724cfdfea52d485fe9dbd1bf7bf69aade79a

SHA512
8cfe173305b7339860239417340985407b9667507b8fbeeb0a73b77f951a84da262b802a864c0570758fca7cd03c1995a6cca2e975c26ba5fb112de7b88c8b01

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
97ebabacf833501ee0e01c20fa405c8b

SHA1
5025b1dc7342d47eee7dc4cef27ae99d142be5e7

SHA256
029c1c2439e8ea833fd0229de0d4c96ebf9e3fcf36ad8fe1f7660cf79f9f322b

SHA512
a7975d8a27d80a6f3fe37f35acbe3a93601e7ed995bf611c6ff79387af7c09254589a92da86d4f7916101756d389b316aef616de6c27cfcd2915d9590095a2d4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
e98429e9e7667c3a73097946e0f372b6

SHA1
32e55d36ba4f2966827013bd4a57533c8c3ab6e0

SHA256
b555cb75cf371155bc5c644437ca41743d24dbe082ea685818be75b7334880ef

SHA512
7fb0c31589be7e7239f9b6acf978e7d44554c25ba5d91de141273de1c98b61b7fe42943718c0640dade04e13b12fe1de3e2050048a94520732cef7a5756fd92f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
42cb4df0c05ce4d15f32bb1acf5e2f66

SHA1
8f41c6a54d61a348289a777c18c663fe9ba5cf65

SHA256
d7d0c46154869f7271c02604c39cc6dfe2f10c3c2ca3bc4eca2bdc2f3e9e4b59

SHA512
5fcbaf49d2bb6f3822f4c4bebdc9918576a2109fffd087157ca4373893f82ddb7c4fe989ec294ef0b16f13a5cc733b6d285c753683936a3971696314b37d5dd5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2defb68514af045b1c4636d57353236d

SHA1
0bae1336fe47cbb2d9cb56799cfaf9c650c189ca

SHA256
39838cbee03c2f5f4d69d670f349abcd65e8a4fea95b01c2999ccf1b32fd8ac9

SHA512
32ecdde88b8a2bd978ce65b613eb5ad49f214b0320d47a5feca15805d564df62181d87bb2a5e873f52d8fb15a863e93dea6272ea880b62dd98f09b919709c9fe

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6deda2747c6c7b4dcbccdc36b52ac102

SHA1
ba3781633657b3e11f469a4cc0c8912dbf2667b9

SHA256
ab9c52ca3fc5f1e4cf529b29307c1e9133b2febbb73da7ae9d3d864a3d41b7bb

SHA512
f3fd18e5609c73762f547d7c0eebe1991de2670f509cd7c4eeb2e05376efd9320e8c5339008673508c30432e0b1fb307a66f1e216197cbad58f84862b607cfe2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
8708f0fc7b518fd487b21f25f8903ac7

SHA1
606a65acc9c25dea130d5729256dbd1e08ad7e24

SHA256
b21faf4946d9c222b570a70a8d2612e9e4d074bbd4f6b0c1f37e6a4025418d55

SHA512
4eeefd0afd3ad3eb6ea38c92c1bae38bfec1cca13d82f808917e4a988c50e20f32884db750c6494a17f00bacfe1137c1e8df384486be529408b550cca8f7528b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d6784208cf4b6b9910e0767b35adba2e

SHA1
a286ac7a6f952e83254d8e676c6538ebf5fbc3b1

SHA256
907141343dc8d5976ef11bf76654e2c0deaa6c3ca16bb111b9d0ecc39a2a1b01

SHA512
aadbe5ee2062d81a8dc9208aa6d84fce02fa565c51629dff353b614e388172c596627d4c4bbe4accc38b1cf0ffc0e7170844a8068577db341ae8d805d0104867

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
a0891170585544e9f6be8cda11f107d0

SHA1
2b886cfb09b588c647fa2dbf682f2246b9f86e71

SHA256
577f94e97608a6f8d6abc53de55b90ef6ab2c47b6f7ef689b356d5786c084da6

SHA512
d10f215d71b969e93b95646413ab566c79aacb708a349381de9efd0dde549e2ebb10b09234cb7ed5f4e92567cc623d2e6febca678cc26478786e2012ea9ad600

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d4c879695d6dd1a72550be016947cec7

SHA1
b3f0cd558bb9a9cdf812785693b04d912bc831f7

SHA256
b8ebcc45db8467994b7cad5d3b6d8087472c508e8e316331c35b5b9d13ee9c1c

SHA512
7ef6a6a6dc5e35a748e943d371b1dc0a2c9e6d403290685ebfe36fdac5c04b25ec86a313ded62b23f31e02d6f8b13b6597a1b6d4d4f7554c4dafd759f8aded6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
479ec2fe615f6c32a4188e1ee26c56da

SHA1
bd76f4695ff833e2ef523b58373a37a234f04714

SHA256
6a5e2990fcca509997dee3895e3869e9d9205bbe6717d469c77e804e1a52c2ea

SHA512
90a0ecf158dc1c62789ba93d8bf41ad76961091a11c2947e3689526205ca4eec3db990d447cc8ad9f5beccec5613f2e3082365c803925fde981f6007a27ef3a6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3d26c15869d44aab3a34d920df4b281d

SHA1
54a4c1e8ab9e8a6025d853df987785ca046463db

SHA256
421a1901cad2c44f1745c784d267103c674bbfc6aa5131445c285caa31ae463a

SHA512
c79a17bd1c981e58a009eda2769e557cf42e41a0d7f26f7939e5e538ca8c2517761e78bf005e4ddfbe22041846e2675b9ee5a8451e569df6af93d9c9e8a1628a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
f4e0c8b4bb5422df223fd97eb48636e5

SHA1
b653be3ba11f31ca0a93bbbde3653480271b1a2d

SHA256
e3078360eace480f71d3d2ed7573adf2afb2611f8b6a4c847f41aed8edb500a3

SHA512
3dc01af66314a366e9e47d13045d20e3ee10f5a6b130ec2698983fc0406541d4ba805ed6f8d39ea8539e52ba474b571b48f1ec79a65641bc4ac920d1be96a5cf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
589bd6079b5730a9dc9e8dfc0955ae71

SHA1
b906e93c0ba885eb0af5b80f5b9cf3323c838c49

SHA256
9fa552fc5f5ac2903d3eaf54e1078757650cb0e4841056fe5736020f1306192a

SHA512
c5b0589a312340241b2b445b36f18d45ae545541b03c26a802ea9fc83bf22b2a1bfd693dad27a308ae7a50ecab76e1b99d9b5dfa7fd6f596d91aed1a739fce1e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5933e1ddc58fed090309bb79cbbcf35b

SHA1
d2c250cd247756328d7ab3fac9582c2adb9fd09b

SHA256
bd8528a0e40476edae09d67f7435cc256dd7394f580ebd04e6ba229573a197c7

SHA512
2b3deeb759b99e02909c9015b4f4f3c75d1a23c35122f0098a624399b164a6bf0acfeb27565c281137e9dfac7f821b9b685f14b8c9ab8a42b4c285a2ffb2c1ea

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
a3144682dc3dd37f2aaf9ab089892588

SHA1
182e496d52ac1c0748df92944ac90de09d1e6567

SHA256
70591dc2bac9d1b1484e506f65dcac708ecad45379250b620f51b7246eb67340

SHA512
bd5a2626b6264cb2c6d2e73e9a22ab22265f29245d2bc35b623cefa548abc921bfe90541d2bd957ffb3891ce4b67b164cb95bf99424ff20740d6ca5b37421517

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
77b85372e3319c4e144e61357718a232

SHA1
7f14d83dec42bdd9bf0f52b7757d176de272579d

SHA256
ede9e794577473511559c33b3f3133388a1a9ebdcf40308fe933c645a072dfd9

SHA512
8284d952c99234a74d208dd049675fb1214f0023bb1a2b7c85bac3565baa3d269368a821dfe1ab1ce0c4eba9d78cc5d9d1f0bd741287c3e731f42b8a9d611a71

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d935057343711c15edfe89b24b8c4df1

SHA1
98ba179b12be3aeee834e8c76c28ea60f519f994

SHA256
b1158fa8baaab5c98bc2950fa40662b1887fb67729110bf2a25bb6251231921c

SHA512
5575bf6f992e87a9dbeb4bab99854360e02a80aa096b8f02e5da6f095abc09c6f7822b2ff1ad63bc2036def78f0a5a95fd7b6738f3c53a49a009153c12bac9f0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
e96fcd734147257a902bbb2d70fe3de1

SHA1
e4491b2cfdb94eb163fcbd49ab02f8b08f77f290

SHA256
f74bb78176c1831f4e2678c1d42e34f20536d996d6d663e3ece602201103158b

SHA512
0c16c30ee67494acb260257b69ea2e1f410fd183799644ce8911aa630e079aad2ee888683354fb23dfaa2cfc84d2babd836be379dfe3a610898868eb5594c941

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ac9b87b33da741966f0a41d576f58a04

SHA1
c580033b4d6416d75025f1e4c64d6ac2d0997295

SHA256
99d9b84098d51ceecbbb79d583331d6654ddf5060917b2be6b5f8fa41cd7799b

SHA512
a4cce26c163382a61a23585c935aa4cf3fc9992e98fad51af61c809d9bc07e2e5b0c710251428300efe1432057597f45a56d152e806cdcb99f4e34e281ec361d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6d63f6061d7ca507b1ce9ee473998b87

SHA1
e494249cdd21e67fca5338f47f0c183c0a41e93e

SHA256
a27a35b6147fdaf8a38a66589534ab3bec0e2acb42a8a713e197351864af9729

SHA512
696a31f359545f5da4a76e0f5244154331ec5d7049be3afbc2e1c9cba7940f7680cf5fe095d5092e9d3579b09efd15aca0ca9cd8a91ba5bdf751d063b60080f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
79cd5628c73be720579a916dd424cf33

SHA1
dc8809d57f4742c5da794d91c2a848b3cbc2be2a

SHA256
9f593cffd9de4a28afd1aa8852b436f413ae389186a8177c3cb3e90b35345942

SHA512
a14f12461800e0064344ce803282cb1cb000c7ef3c95d47a93f7afef71a757568c6490c1eced2190fcb5cb70299d1ddf7b101cd44625bb2e25112f685e684962

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
391218ba5d7b06b06f8f7f40d35615b6

SHA1
5781c4403312607cc46212c21a07e7d7898b3a30

SHA256
c1fcca9d9e20a8c1a8b1daf68637e5ca0a7d6eed362bf6511017fc3b800feeee

SHA512
a35ec07ddf4df3e7c752e0f4d431cec4d93019067ae83e9b5043e35dc42d2b0cb8c5de14bfbb41e51e0a62c26f96514ca673d0fb3700d0b1441be1530f17f376

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
599d344f44dab7c18361aead1b549b7e

SHA1
3ad4d3be490b106412f686a02e46bb1d9aba8550

SHA256
cce7f45190632b341a5f5af7526930b7e603a2d68489796aee7d1c007582cc58

SHA512
d94028ede6a62b362a21df04f1bd7ae23f7f5ea51efcaef82dfb345a362f8f8b75fccbd9800df56335d632871167e7ad984faf3428c5c7de1d8bd2b65b6020d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7eab73921ec8e8c55e1d9272c0a71536

SHA1
fa65deec912db6d7f9d5991396a713922bc83d19

SHA256
a90f3ce6b00597d894b243059b9e4080418ac0a9d8bfd787c70c1594ea9450ac

SHA512
704e399ae5a4c5a5d8c12323f7916c9067d229f0af5388b4a65f8d5dcfd8bda7bc4b2e3b6a1ac241faded597f452a4408769aa0858648498c2025271d5154468

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
903c337c34b1376cb7ae074777217782

SHA1
9f4a33536d339d0ff7356d33dbbeca3c7c002ac9

SHA256
666645654e3f0b61896af1413aadd40fc41e164eef143572f5709959b918a760

SHA512
63f1d1185435fef532e33708e22e91a8cfaea65e7e5f62c597297ab3b63e48e578aa552e0d77be7061141277db66fc244f16fbe82612c4716f9715e8b5661160

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f38b101b1c17f861f5324af83ca90286

SHA1
974b1e01e4f0012f627f522ddce88b4d7ddb56c4

SHA256
9fa67789c8c949d0c9f55457732d15dd5106c26babddde401a00316054341f92

SHA512
5be4a111b94d9caf308274c6fa5ceae99d403611342da862acf8d327c6b4b90af847f4c8ac73eec870f9fbb69f83cb9d476810b3b34811db103a794149024158

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
f10e2c23d9109d1eb9bf73bd8f4dce82

SHA1
8203c0cc3132d5e952e63605c6eff282c6f69116

SHA256
02808b276a06c7de1767df64baa4fb2ca9f42a30ef96fee606becfddd355da99

SHA512
df1929937e58a350e613852217feb683a4c3550642937cb7a2c5aa3d7d15a35c384ff96f626869d1882b1c84a8e9a81c40f31a50ad3a934cbb1755e72d658b1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
72ea559450c6876de12e0e16567b4265

SHA1
c0423a43c6a683ed18401e2cfb2d87d6cd8001be

SHA256
7c3b5e2199a6d4516167b200d72fe22f1f4c8f03e14d677ad5ad7d3309aa6e83

SHA512
697fa3a3d0bd0e0345a2562bfdcd1ce7ff1d53179b00815257d6f8f06d4e4c68f21bbd5b4ef8b2dd070ada1e9c9c3f1e3b523b53463a5daabb9088cc218ad66d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
987990df11323baae0b46e64f737d4fb

SHA1
14cb939f2691a07a75267ee1e5b352ab3c719c93

SHA256
3524d5ab5ddfb69a28fc2f1460ac100e3791099281237df4c29fbd710a4087a3

SHA512
0a64f27ad78cfb2b665eceaac74a513c053377a31b7f5ff91583d8325ab71e680895467c3ef96f7ce2cd431b6c440dc8d62441cd9dcbe7aa13ffa1f690c73382

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
8ef3c2d23e42f3db0a8ba9319d2f9fea

SHA1
a6e2f26bec55becf2605e102e8ea497a562e62d6

SHA256
ae05754555eea227cac3e76a60a9a796962ac1221860471639eeefd5cbcba96d

SHA512
4b332f357a9f5bc25e18b8be4ccbac47aa1818b67f526d80cf83404b44647cb6787c3c35f1bae24c87667db1f70d15480c76afbca996de6b37fb3f7cfc6dc168

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
954f2a7677a980c717dad0b6caee6841

SHA1
5b67437a1c865949d5b640de983b6b5d90fe3e60

SHA256
49c1141b51cfdd23bc8c8c0ce55461ebe2e9d9de089e909c9b8de6ae908841fd

SHA512
6eb84a0e2d1c7bfa4093f75f0cb10604de722220b82b148fdd044a9a9c9466655adeb7077c2bf3e7dfa3e83fbe7068ffc94b9d5c15c9a2bd87c1329a95d4d116

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
047e40e2066f8cc3a008d9b2cb9b1d34

SHA1
5ab9af8b2b2a8a2ce5e7c91d264fc0c8a96aac64

SHA256
7d18dbba87f68869133e382ac391583704338bdfb2d3767fa7b3c934fd00c97e

SHA512
e1c9f569d8965a3cec91fcb5d4d641a8ad798e9eb470113bec41b1ab434f19634d881c42b7c1870d7ddb2bda6c7b97e611b6b5ad0ed762662479008ec2b10d67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
5212d9ebda50b7ba993a697d818ba6f0

SHA1
0b679e04516ba9854c1ea531418dde0e948c2594

SHA256
264da27e5edb670a02750de30c6e04e52ff217f9fff523a27364913d53d2cc48

SHA512
ba97fa6f10a487052a5e14623ca397f62deb1e66732ba4318bf145ec148d50400898597bc0f27551fb2fe5ddd269cb5feb8edc5909d1765741d16974e7fc6360

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
1f2ff065addf1491c6f07e366ebdaf64

SHA1
81fe93b6ed75b41ffd7b37547598d9d09bf09bac

SHA256
7d75f14de4f5d08ac59317ddd48b51ff0c56dd81e73562f7c2cb823d9cba8e7f

SHA512
02394df0345f58e1bc2695d8ac5f1a006b662e677ff212ffeb6a569b452888aef547649a592ec95577d7c5abc1ff8aa28631fb6c2ad0f69299f8899ec7bb1bfd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
7bc10dd5fe660aca6497a5a8ec2b8b30

SHA1
ed38b9b2a6578063314eb8e16fa0e8947f41954a

SHA256
5b848649159831a0db5a25a9394d067e9090ada2e1bd976efd5e5ea347cfa894

SHA512
2d6e9456089da8c1c997a2d40adbe8c17435260bab27e64f51838aac5ac78613f34982ea381acb5abf859c754e5bcfa3fd0d3453f7496431e8608b75bf4d0cb6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
96586976e9986659531f256fb774240d

SHA1
87e41bb3e159f41db44ffaed6acb01c7b1d76334

SHA256
d55f7f4670054ec499ec5d5838ad3f7b235bfcc2684bade9cd8f8f5d20a3fa58

SHA512
853759aa6812086576f1daec7d1c24b391aac8d4549ea47df4a4533cf1e2de4b21ef346516f626adc70ab816c72bff1d7f95033f2c01c61a8046d2cda51e970c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
fb2c42baf1f6443ebfb2cb32430683ef

SHA1
32ea67922437de49c10f22eae54f9afe2f63ee06

SHA256
26f4bafc9960d2b80ee4243d1d35b17e9b65de7bd1ec01375bebbf001567e7dc

SHA512
07ae0e074c7f141bb85952bad0e7675b799cd8d213c29dd7d59356cf9e877ec90837c3cb1b39580145e5da9472bffe0b607b7d2d6ef790619053fccc3d2b7b58

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c14647b7825686a27c48a31ae530136c

SHA1
b58fd83bee9a943d2de3bf7a44873e2bf790be14

SHA256
eef3068d27acedbf41c501112fcdba8a1e5a223ff3e0755fb00ee1ced4336eb5

SHA512
0d985ffcde15b8d4ed2b4e591b8d2bfdbfb2abebde2802fa1ad478bb1a80b046c6f1fca7f37ef7a98a61b7ebbc8d775506d19857677d0ed59c8b2c17af1b05ba

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
58d16f2f13ef4f1dbb0e8f7f76538bf6

SHA1
32036572ab1cac2d0b0820eae19625deb73edbda

SHA256
26b4d3c784c5bb113e5751bc93e5999a7235435f8071a940a1d369eca1e0dd55

SHA512
c0e5a20e528ec260599526a09110aa7e03edb2976ce31ae79dcf645a97f516c4503de13d9b701584f02a441106d60d5484c4217dfb582fb15d61d7be34a47592

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d4aa722dc64b2f7b92bc6b4925bf8ed5

SHA1
e1c6e4eca0a4f126d1c41689e0ebb394b50e2609

SHA256
9207fd4c9af8e4b6f59a8c323969733abdf8bf62446d6cae29255bdb972493af

SHA512
e2264ac2ee1acfcff396e824424049a2ea1a916817692560c7fb66989483d979e000a503a4dc2ac3008cacbda18a982160cd075e212fa221945c866f4453d65b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
92b06709f6df8f60748ca9a5c49addfa

SHA1
34e2ea6c26caa912927a4c8c8b97a5caab28f02b

SHA256
9661a00926ff1f0ae1dddbc114b3ffbeae95c426c637b530dd26ebc6f182896d

SHA512
eb539428d028098d97ac47c75bec5cd042dfdf9c2fc5142959b0502be785505f88e051ffb1641aab22189769d2b453514a37f88f6f247a3ddc6d5285457933c5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d3c476572ef0a2f7ad24da98c1b4a0cd

SHA1
878790842ddef8a35062d1c0baef54b0177e642d

SHA256
f02754e3ccd5efc619a13fd566287271bdb621c94791aa99b8083ddcd3587049

SHA512
32daea759cd345908192d7e72135d8b5d3c7e10139de01e65ea6a6d92f922b40e0bd6a9eb010a9c8772a1bbbd2b025f573c0b9bafeaf277b45133736f48a98df

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
51a93b61bc0247557772f9c21237d572

SHA1
c13bfb2e11b298db4d4200e1f8aa2b6e3ea79b13

SHA256
5da528a3d685ffc17821ff2b2ce8452e85ebe02b040d2961e0afcd647ea85796

SHA512
5805ec1d9e0f8f23629bb2356dbbeafee4be5efa2148079ab7ab9977f067d2501da70c098aa05b9dd16bc467c36b227912ca41e7e92250b91a3817f717e86a66

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fe159808e4592d1c224ed914ef656451

SHA1
7b501067f6da24ab81408c80568ec0d92d0f3a72

SHA256
82c5a8a8039542c0fd6993a8d8805ae333930301576319176e56bd507f2c5769

SHA512
49bdb9a75f83f094e17e1f7745c6cdbbe609b1f8415959bb75773c8f7255d7de3ea5cbce9e236529520e9899f6659a524bd38745f6414370fd3a969e2dacc608

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
62e25e62ec5fa805e88daaeaed8b3e09

SHA1
96d51eb95556654de5206a47b72769a9d843bd2f

SHA256
cce573839e4f5382f303b426fe7cc2393a1c1b4fd32b8f3b69b06b68c15903fb

SHA512
5566d64b3ae3b57e430a7ff35d4a5091ab93618956f6ffd324957ad8bce7a97254f4cd7bbb294f7af627dec5e3ebf59b8e7fa0403646d9a1a0b73d281915d876

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
01262f85270e2f72dca98a5181cb95a5

SHA1
99e68e38cbb5bd12923311dfc71b1ef03dd7c1df

SHA256
3ba5aa4abad4dd87a6753101739a4d75db70ed512ba7f8a0d42ea4daed1e1ccf

SHA512
9d9dfa57461df818f5a1e39cabca07a76636d3a688db4244f8de207fb408251d61d13e4686ba1b6b993fa697215ea68706a3a19b7b811a5815f9165d22f10f17

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ae0e455894cb5e32c88525292d27f07e

SHA1
87e9c91fe23312738ef0b38b55a0d76e87a09c6a

SHA256
9613dab81b205aee087f1b50838b7ba5a91d9b125c05af305adfb1dac441c3fb

SHA512
e48e6c2644a178cd5d4b3251f3c3ede1b83cc6a40e1539b699db38c0d568d9bf6f34abb2ad67c78d2f6922762d2c739eb47d6662f1f9fe0ddc8a51e2d12b45ca

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a6d090414df4d5b339ccd94ec9d7cbaf

SHA1
5656c1aa69410dabd623d6e68a6b49f31049087b

SHA256
0297fb3b1b08f85e94cf004c57d80a167681fc9bf8c06e1364ff795ef6f7cd9c

SHA512
29dacd60e4e7bf2d1c036a72fa22e22bdd35b6982acc233aac909cf47d9b98f24fd1eda5b3324152b599c078363f0abffb765cf937052183dfbd4f674f65de99

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3ae522bde4f2b12587613c8c973cd3a4

SHA1
f2e728a84788f4d68685230ab253986fe471430b

SHA256
c22d810f16237f5df557df70c2763e532ee0cc53cad92f0390cb04b0d6893149

SHA512
f931edd41af0a2b10b8d5093716b554dd58a1481ac2ba1c1dac0eb573e035fba708c0987d58c910bb3a14105d003b71e5548bf8e4fd7c623e08dd44ab4f7c638

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
02bf93867d13511c2a3514c05a507dc5

SHA1
a804a6fe27b340b6669469c6a848763855c35524

SHA256
41f0f85c28549a0b1548fe45847fb2a7a188a61c82f627f40d00e68f47ef331a

SHA512
073a428d7450d951da0bba446e945910a55c2c361aacd6bc0057b753a9618d0fb53bb88ac6d4201a76eeff97a777bc2731b4cc3d665c1ae6c2fecb0c4c015ec6

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
51981c8d21271cec1448d0868d1271b1

SHA1
ac07f9f1ba45c92dc2cb0996f8791bb2475e5123

SHA256
35e827f6b0b2dd3b39f554a11f56743fe053bce3ee43f809381f820edd9f4ae0

SHA512
e10a9c1fd28aa1aa65518517d3892db40b1b0cea529a2731f0bebb9b44ea666ba8926ed731923290cee04c0e7ee58f12342ac9257547f5cc595265783b7f3048

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7a0f915a009e6f7bae72cfbcdfa8f8a1

SHA1
86d4d8ffd9bdd92c2bfb42c5b55392c2fae577df

SHA256
d5bc36d552c98e3ff1df2507ca78a84dbaad3c3953cc937a472f466b449d8b9b

SHA512
bdee2a9bf1ea055ccfa03ad33fc367b968cdfc170bb700f4311ca2dbecd8d1008a05b2b75c16ed6f43f5885fd54e791513344f30725c10c07c58146d87397d93

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
54436e5b8a20cf5c664489a13916dc9f

SHA1
7a1d361fa15ed3e5fca6149462306f9dc233e96d

SHA256
5afdd7bfcc5cdf2b18bff713f7484df4002c2aeb7024b80bf7363a05a7951adf

SHA512
b8cd83aca3d42867e225630b4f2364f6c04920eedfd4b024b241c1f43dbbdd890b4576e23eda482ec565a41d9d32a5ea7fd051d6d30d1c8728b4777a1986261b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9c4c2df43339eabf6f9721744bb1dec4

SHA1
f47a165989f9b09e4d14a7e88086c41e230eab84

SHA256
a12a6da43b2901da10ea95f015f85a1126de8d5d558300e123208430aff23185

SHA512
5b1839996f43b9f2d6454a30a53a0114cadbc9df3076b7f3cf35412e6ad9c1b0e0f90e1f4b4f88939510954887817609e6ed3fd9796ff9ca0b5487cd01defa09

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
40c6fe5c22fbe4f5b5a8c350e031835e

SHA1
f490a277e548899db6bf0eb221dbec9ed0561d85

SHA256
1d4894deda1ffc6fd77e68f0767331c95b038da32a49696e7e6bf98a9de7c08d

SHA512
1164fff2472e12cdf46fb662a1c6000d3e65238d1cba1b204118758ae25d7d43249c00ad36a84db58a05b5da121c8c4f1e5348148e73ed090614e69d0ae42f78

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
78023d62329687d1f335495114a6118b

SHA1
4e97400965b42d53eb3ca7ab1f9fb43ba73e286e

SHA256
c0b360a4bc4ae2de594200c871a780dfbb05085854f30f1f72ff234e81b0c4ce

SHA512
050d82a3d9c3828b936e2d6f7ad8bffc867f22840a893b20c16ab89fcb7950a089cb7b359e950bac260589e2d9feaf1411b92fa681c6f728a05782f4fb134083

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
f8c10f22bdf45202017b43a41e7e4840

SHA1
446efd70663ccb136a9c9879fc90d9d756becaac

SHA256
e921449e5698c5e86de5342d7f3c94f7d4516f0a1a9a78ddd6ad6e9786269ed9

SHA512
73d8d319102c846da7024b3ce8c4991d6db4597986ad03651dbc192f0c1b04af9ef61992de560c9fe5ec2f0e2a1d3052604bbe6001f78c57e703bc1a6e1d620c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
368a38060065633421eb54eea5f33529

SHA1
3ff0e80e01f972cf2c73fee6f649a7bab81db6af

SHA256
5c2cd38803ab9fad3093e5b26298923539f828e0c0fd732bfa6e33889d9595bb

SHA512
764252d3f14594df53ce10925a603e7c58e9a8afe74792650f208c3ee1c761d4f6de146c935870bdd2be47e4b01f4a285bae9a1e69a495689e88756df49352f9

Download Submit
memory/252-101-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/252-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/252-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/252-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/644-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/644-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/772-109-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/772-102-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/772-107-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/772-234-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/884-532-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/884-378-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/884-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1256-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1256-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1256-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1256-149-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1616-79-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1616-85-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1616-78-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1616-166-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2072-147-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2076-325-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2076-112-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2144-530-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2144-163-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2156-533-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2156-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2380-32-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2380-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2380-38-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2380-145-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2600-77-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2600-0-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2600-543-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/2600-8-0x0000000002510000-0x0000000002576000-memory.dmp

Filesize
408KB

Download
memory/2600-2-0x0000000002510000-0x0000000002576000-memory.dmp

Filesize
408KB

Download
memory/3060-531-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3060-164-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3076-89-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/3076-96-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/3076-169-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3076-91-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3212-151-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3232-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3284-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3284-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3308-100-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3308-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3888-69-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3888-157-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4360-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4360-529-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4452-496-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4452-146-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4508-119-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4508-383-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/5088-56-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5088-55-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5088-70-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5088-67-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5088-62-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download