privateloader | 76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
Size

1.4MB
MD5

a5b61580544b2c266a7b43f07e68c4d9
SHA1

82697f21745a4dfc6b22826a61b1af2e8c75d605
SHA256

09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c
SHA512

3325cd2b7687aa1ad4e55449d9299317f9f9f9f8a6836d5ed06c2dbf9ad594e9cb44a99fd476c81b9048d09f7589a91ccceb2ff9c928cc953994b7e7861f847c
SSDEEP

24576:6Ji+Gn/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:6cnLNiXicJFFRGNzj3

Score

10^/10

privateloader discovery loader spyware stealer

Malware Config

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://45.144.225.57/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

2.56.59.42

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader

Executes dropped EXE 22 IoCs

pid	Process
2328	alg.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
5044	fxssvc.exe
3924	elevation_service.exe
2132	elevation_service.exe
2984	maintenanceservice.exe
2264	msdtc.exe
2072	OSE.EXE
316	PerceptionSimulationService.exe
1536	perfhost.exe
4956	locator.exe
1268	SensorDataService.exe
1596	snmptrap.exe
4300	spectrum.exe
1680	ssh-agent.exe
3612	TieringEngineService.exe
4884	AgentService.exe
1920	vds.exe
1792	vssvc.exe
3928	wbengine.exe
1108	WmiApSrv.exe
4464	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
48	pastebin.com
49	pastebin.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\172f672ec1221773.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\System32\vds.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fbd98a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000484eada46055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa8d4ba46055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088403da46055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018e680a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019a23fa46055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000402a68a46055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007124e4a46055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe
2796	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
Token: SeAuditPrivilege	5044	fxssvc.exe
Token: SeRestorePrivilege	3612	TieringEngineService.exe
Token: SeManageVolumePrivilege	3612	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4884	AgentService.exe
Token: SeBackupPrivilege	1792	vssvc.exe
Token: SeRestorePrivilege	1792	vssvc.exe
Token: SeAuditPrivilege	1792	vssvc.exe
Token: SeBackupPrivilege	3928	wbengine.exe
Token: SeRestorePrivilege	3928	wbengine.exe
Token: SeSecurityPrivilege	3928	wbengine.exe
Token: 33	4464	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4464	SearchIndexer.exe
Token: SeDebugPrivilege	2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
Token: SeDebugPrivilege	2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
Token: SeDebugPrivilege	2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
Token: SeDebugPrivilege	2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
Token: SeDebugPrivilege	2140	09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
Token: SeDebugPrivilege	2796	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4464 wrote to memory of 2408	4464	SearchIndexer.exe	109
PID 4464 wrote to memory of 2408	4464	SearchIndexer.exe	109
PID 4464 wrote to memory of 2108	4464	SearchIndexer.exe	110
PID 4464 wrote to memory of 2108	4464	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe
"C:\Users\Admin\AppData\Local\Temp\09a93018218af02ec1b0ec179a3fed2c205ac6f48f8cee615d2dbb99399d600c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2328

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3240

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5044

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2132

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2264

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2072

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1268

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4300

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4816

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2408
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 808 812 820 8192 816 792
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
422f94fe01d85d92b470e9f94e75f9dc

SHA1
f22822c2d125efb32fd73a5c17cb028423ae4138

SHA256
38094cfeb5b7744160f50bab3c1576811fbd3eabe16db467e5404d2f1376f2b1

SHA512
afa9fd1f4658866402ff5cb5a72da39ed3e0d32911c4fc5d734bc68be69d3e5009ca5af029946bf18778d96b0be04fd025dc8f913ce2068931c0bcad733850a8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
f4f4575957d11fe1aa02f9868f402db4

SHA1
0dcb7aebebd98d9f8fcc38ce3dfbac315ab7fe47

SHA256
753801575da2be793bfa7424b434d81ab04e4e1426b8229554f8a0b6fb4f1e3f

SHA512
dbb87cbd7359bf0ce217784963d785320111900204e3a788e0a8cb0a4b5c462d9007ae1cf9ec109d2f3d058e0b3743422af1388325bca617d0416d81a0bb81ee

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
09793c3e25e793e2922feab6ae1067d1

SHA1
7a22fc2f2202464b39b0193f1b6158afb19bc5e3

SHA256
9d59cb7c7a46cd6c09b02e3f77a620b42af16e3cf464aa4d03299102050504bd

SHA512
b8e8efde2316a2c8c89fd44b1115025ffc3f5f34f865c9b00dfd1b3a148ecae0e69984af9ef8146074528cfc30d0cbb43e5654773f74e15be035370293193f1d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fb5b81ca7f19b87dffafe286bb6ffd61

SHA1
79881f7ea64490c86b5bf27731f00735088fa2e2

SHA256
36570a2e0c7379477b4cee12b4ff59c3f90f3c43193280708f9ee123b3cf4ba2

SHA512
20fcb35640d56f6ddd90277c4bad32cef41c8d980d2ea39ab8e08308468ebf78a15aabbbf12c7e5789be6fcaa05dd6333cdeffa7a7b34abadce8a8c30a5cbc43

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8fe88fca5faf7ba6859024bf662f33a2

SHA1
d6babd5f25c96abe80353389027a6ebb198bd6d2

SHA256
04163017243fb82f9851c48a7f7284573529fe27d852d4a9a037bf95b4649157

SHA512
3e941de65457737ffeb587838eb16e7ed386c815380a03eb80ac1a06411c241713718ff2b700c9ac6a3bd09ce03781be1dbc72ad20b7113f53745d8bae81848f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
238b68feaedb51ed1c39938de3187911

SHA1
fabcf81c724a6b2d16c0454c9dbd91447cffbf48

SHA256
6fa22a768a42099cc369fdd88a6be45d0a3ac4794817cf2ab955effea0683ebd

SHA512
d52789c0cfbfc89e9d853d19f1981a45fc2851c4a2d23db2f13ee4d699f5f3f8f0f4b1b55e4b7a0cd802f53f4f16d659179ba149357fc350218bfccba1135017

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
a52f8b003a37246e22942f2fb895f576

SHA1
de38f7eb59c724a9111145364b51e4f8fe197ca5

SHA256
5535fd5247978d4de5c1dc70b852f35d2a406ddc8ace735d6ae793c14a8764e9

SHA512
da5bf74a5b1c7379a5c197428dbbbc9ad151bd99caaec8c54efe3988f64ae6d159458349570772743172128a97a5b06d2fec3621fba863bc563ccef2c79ad2cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
155f456a06d5780dca5725e902a9746a

SHA1
7618e2f8a8e27af39b98afdda527d407af4e16fd

SHA256
bb8e8992dd6ae43058c78b47e89db71e29ab16874dd2b0dca8ec016a6df0bda2

SHA512
deb5804bdd768b406086ab2e510640170a14a0ef6bc2cfb6b28fc360431db9590f990295cd91552c8f3759cbde9e58888232bd764810c3544a4f5f1494b0d351

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
6f5340dfad3c058dcf5121829a36dbd2

SHA1
a20d4435bf57293c8f217b4cd716c1ccd1cf059e

SHA256
1cb81e39822f7f0e1fe59370e3881bae134bc7bf492145bd0655695bba0b614d

SHA512
2418eb037a9c4b8a246f5228e56901f6840fe9921879a93776ebb0f565a5c4dbcc2661b5a76d762a99b1128156c8f21324d0fc452d72bcae6505552cdf65e924

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2caf9d63aba0c8222e14ffa5f42b2cb1

SHA1
74ea697d8717ef76fdca4f798e2f2e4aad0d7fee

SHA256
f5bd93154c1c148d44a843aa8b5b36bd4bacec52277923551209faf328994541

SHA512
bf477610ff857ce3a8186738cd21ba051512b16075893e8038b6a9276a679ad631b0ccbff0d4cb038ea31e650a641b0a867cb8be6e141a654d33e19bb9b7850a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4e6aa934665afc5f491b1605040a5b8a

SHA1
b863116b4cc9297e658e596f6a9761a9bbd5562f

SHA256
17940ec951321006471de102c2e5800feba3f1e0de37fe8160bb33144bf91584

SHA512
e39fa2328599a01172bf4cbce7e40b381f5c8eae2cdf32c78c52ac22c5e7f8148fe7ec1d48045e87cb9b3f706bfbd3b8b88997299bb350fea7ddfaeacfc5886a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
12d95ef3329fa4285f79ec981bde3582

SHA1
d5c7651b7d07f5769d7f6aec9ff2f012eea7ba13

SHA256
37aaf3fa826591ce7832f4c22f286cfb74b78335cf18b340b5958b182f9069f5

SHA512
1aaf529b0764f3233bc8f2b8c1cd0fa54952e0a8f06e0fdbf7a1e3afd7b8a7e2dadb2887e71085c271e8c23604df0da09bb5d52816d3c6ed57ef128fcb841ebd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
bafc019866391c675ddf8f10f43758b5

SHA1
6428ea1252325db86388b8897235e68b0cfc747c

SHA256
cdfb77f5b93c1719b649b1a5491a67398367c5fce50e08a2d34f8718078be698

SHA512
efa16ea024d252b336401775257f6300fa7f4a05ad847410d1dd6df8b2307a70f0a60abe18a8560c786f3d5c8bfdb7f13d106b84847fcdcd18b92d17f3a3a456

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
edc323a2e8867233d3cc6361e794aa71

SHA1
65f384071b3ee0c2c864b5ac4799bd7fa9c48673

SHA256
0055d74e94fe64ab92a23461a206b12ddd8c17c1f8c8f87b459ffc943597b04d

SHA512
466bd6eb61ec125fce0802ece6cc77c7e166e503b109fd39c66d09759495c774e3994f065b0ed23e8c28320f930810ae6d27a92cb263e94c21360671b36bfec5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
83944cfc7fe6b33bc406db969c00c2b6

SHA1
8a62305055a4dce6c2c6d6c96deb72d692c07da9

SHA256
4473e26579cf11c2216fa115eda95d49fdf583237886bcc8607bcf499ffdd112

SHA512
126a117c649f9769121d2a3fc0473fddca8e8ef377613777c86a2ec0dfe264b3eebe1dd40fcf99114b6dbe80ef0da1c77a36abcbb8557c1c05474c7cf08e1f94

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
93bac6f008f0c1cb5eb7efb06bee26d2

SHA1
08fa170ea31fb829d6c47dee02ee3c4e5d7c8343

SHA256
da4f045dea6a97ae20c419278f188525d8133dd842f429e17cb072ec8035260f

SHA512
41b8274accda495780a4907c7ccca06aa301f3d53ff88a5318ed4c4c327a9e4cabc2983585405b89dcb1a3453fe33342d0ae6558f45ac6db8bec528c0fa9a6fa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
59a270e8716cefe5eb4c128504090273

SHA1
465d23d23cb152cecee48a9109f0cc89766fe571

SHA256
96b88cd88f7bbf006b5cea9a4c1b4d4b96e53a127df0b9a6285e653ebdd07361

SHA512
c6f9459394167d203d52eb73a6cc6745ce1c8b754afd866cad5f377067d95097ef035674cca992fecfb43116d4ced0c67dfc6eee3cc3decfd7fdca30d33c5039

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a9c98346a75e6559201362be737a6f91

SHA1
2794697d143c3354eb68e5af9582223bb4046520

SHA256
16d289a1a48065507b0905ab2d0fb94d2eaccefea02d0e5e424e759b664a010a

SHA512
5a247a340778c9f6ee155c8e9a498a00661312430defc953dcecfa15d0dc812e5203d80024221e9ca1d5b78983d25b5fc572520e93e015eee900d8d34aea5679

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
44eade72f0412525ab55a0b9ad65b64b

SHA1
af71e3faacbb0bf429a69f3867ec716ed0a6b70e

SHA256
05dbf9d407ed86dcac689b62cc189cb37297c40390c7a1e73572d531f1bc557a

SHA512
dfe53248431f4466a8632007ae3fa334a9c37a27856d62dea7b98a6744da991ae2fe0bba4f2e6474c29acf89b8a98f2a104422279900c4794775f19244ab6ac5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
754e86d58f2d3b47976784d9a2e24f85

SHA1
79f42712d993cf26c4f18b01fc721f5b725c4d6b

SHA256
b6a5da252d99e83f33bc6b16b392f0188b8e11c05bf331daa465ac5cc89d0afe

SHA512
3a7f5553bc5476485703eff26ab3b51a52ec3557dd1cbe249ca952fbbc7ce99b5215a5dee5419e6706b6de6baaeb7b8b66fda870e81396a5a0ff528c26b12bde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
30d140be06fc0f127cbf4e73a5dc7183

SHA1
8d8d20ffdbaa70b0f7d02eaa291a10162880bae0

SHA256
747b1067eac3114c0b7da5ab14261ffdfe35ef2e61e854aa61cb3ffe23404db1

SHA512
45e65956b3e5d11b41d8fcbbebce6d6b997a6dc70c04e64b9e54e03771fbbdbc56d00065d4863e2f0d31b5584f06f8fc230b15797251a913c0df4db4213a274a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9730140759630535891038428615f0d4

SHA1
92ac134815f641812779b396b6a55d906513fb7c

SHA256
23da06a7be08fbf9bab60f96d916a98fa99e34cb51d20eb43a7882ce083cc5b5

SHA512
2d287cd963a9feca33c4539dd9ea82b2865453b6382c68d2b4806c9680fe6e85aefd600c186bec50d588d35ffd2d4ec95c159721807c58cb94e16c2d31452889

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
de6019b2dbe9381b489ffce3abca2d03

SHA1
236e3311ebfc4489c43bf7e44707f2dc6e93e6c6

SHA256
8250e7191e0b810a51265f01b1712bca2504c33b6df60207d87fb7b12567880e

SHA512
4d6db065796db4632d32aaef4de73a0245b0b5bf3f4b4cc41df92b21733b9a0e284daa89fc7ab5ac0c1aba4d26a42d99e4d8a10413fd37e206bc5f19c54dd463

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
89a59d699a8f3b8ccd0c4c5721cedeab

SHA1
0c4a2cf81bf7dfbb556e35851520abc0bdab77de

SHA256
992649279e6a7501e629d695e24724deecde72c3d8877358cc7bd5cbdf98f6a0

SHA512
a9a940dcb26fcdcf2a58c350700de2ee49b1e1c604a1df86d7e631da03a1fcc3baf2c5588cbe89e5e30b798885442a87a4139f1055db7c39fc422ee71bddc651

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
2a1016cc40c303a2205e178d02431ff5

SHA1
affe0dd71eb543bf865e3422a895f7234819f9a1

SHA256
a250f4918d393cfb11603e7326f78455203e84ac24eabb32cdefe4434994f969

SHA512
0914b8ffe0da478848c79b4077251ae9bc6f173929157d27bbb392547d38f8afeff420ca6956ce2a5fc4951521e716f5def57933605e5b4457649f01a0242ec4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
08dd4602b3af934d2f9449a2ea88d042

SHA1
bd70422c8966a599214652fb336a1863c6e3b066

SHA256
d73f4632576bcc210c2359a8c4da4ccd8861123946e0616be42eebff5b40ba57

SHA512
5e47b2814eab0955b0c1206777bd8f347fb113d34c69d6a3924f8705a225332c121764a0b0fa50c9b874fa7982ade98fbd5509991df861c81f908851754dee16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
564453482a8d72f760b92c391ce4250d

SHA1
7e04f4f077f3239183de8059b052661d94253ee0

SHA256
fac10f22ad5f43bcde8bb50b822d590e19af5a497990ac0f4247522ff613efc1

SHA512
f6244f7e472ddde7dd036d4154d8957b0532e4025e9b41ef3edbbb62c341e148e4c764655c423fd20c03894bda24cd0f925d673ee95b2701ed75527c41ad08c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
bfb855bb5f9036ccfbdbc56828a2b05f

SHA1
76387fd453efea13da6f40d3023ca9c4b896e28d

SHA256
1a2f228ffc6ca05dbf3d56b8cea83011512cb1b14d2724305d94b34fd19f9ea2

SHA512
289b4fcfef459ddc2a8b052f0b0d8dc3d666f1a8a0f2af521c31e4fb2e6eda420bbb6aee0f606081cc70e912d4c04b88c8306223d1c0495eb541634d579a26e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f386acfff9eca3a5c66af164b50e4f52

SHA1
24665ac117ebf60584f8bef8533c9450db547e57

SHA256
c6aac0dd2b0bb571ad988c8956cd2a4e4bf0d6dc7ebf0e515d31f2186c6ab5ad

SHA512
86c603de78540a26c4ad2ccfca6d928f56b5e55f76f1c992b2291e7c0afb8e63c71074a29b888c1b2ec090f76bf242f7701b52b2fb2be64b66158c8119f27e21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a8a263cb5961a0ec464d7fa38fba1c84

SHA1
6ce3667215de84c94b4a66704b79b795f1a3fe9b

SHA256
93fb53b54d40559cd0f6ea306378afeff1786398ad43daf827343810214ab176

SHA512
b2feadae10ecb44ebd1a051e39d4f9c19dd1056cb0614487f94ba12e80b8cd6e3b8b3290ec47c87ef3770274f498b49c8060821d5fd034af2e366c9d8c5adca6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
d16abe4cb5e59438f7127c5ac22ed63e

SHA1
c014363253425bf706c96c7a81ea358fd1d2f1a3

SHA256
372f03995dd49d71f7dfe57801e965b971c8045aae78a87e8aea8ad114811624

SHA512
7c83719c2b2d041c8c9b7b8b767fb89ce67358cca93337c03078e079f3ed88776ff11061a72b4cb1500fb88a16e4a4637b8f5384f0d0e5fd65ff4230c7057072

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
5494c344db7766047d73fb74d7ce42af

SHA1
51f4cb84a3ec90cd0b385da01094e220cbb0d576

SHA256
41b0c242a712249754f134554d6e9c7db7eea3f7fb2a1742cd4f92b81da035f9

SHA512
7578e98509ab7039e3005d9b1111da57baa42366f9bda73b5e5cd01110b893fe745c478edd193d54572d0f48bf97d291d4c40b603c9826de09f11a433351a803

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
2336e3f8696ab161bc028536143a81b6

SHA1
d922fc26da5678c019c093196571dc49ba4deb0d

SHA256
c55968291a1a6babdcf950733fc4cbb121a58dc2b134dd1405e4dfb4c3b4d1a0

SHA512
bd62881a752cb85d2127a180d1ee35e53ed5e10070159907fcaca227427a9fffa1ccef55d26187a38c1e7a583e8516b5939e7b8a879b50a31bbe8d46fcba06ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
e4e26329feed4bcfb7ff17f928101631

SHA1
5ecba3908c125937f09526aec2317dcf32dd3926

SHA256
6d2d607f5a4b0e19d9b1d19ee7b39103ce817938fa215d3d3c7394ccaa01b39f

SHA512
0b6b91ce96eff8570e0cca07670bc5cc06a0862f84581243cf6104a614a28b9fa2c7f2f5bf7e8a713c6b1e5be686d1e397c49a90f548f901c1a2553e5ed9b17a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
4f2e28984d0b39349a00ba33e05f1c17

SHA1
52b06fd912b3748e5a28865e7ff3f78f6d070cab

SHA256
23eae6ece190fc14104d8253a92fe16a832ca1934f0ff18ed8932901fece6b68

SHA512
7ae42b9f2de3520c7cd347c7efea144992aee609129904afe00bbcca0a1a344ba9d98c55d78e6778551b0338ff2d2b58d2285af2854aa26c5c02cec1058ae701

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
2bd7ec5ad9c98a47ea7e76d7ee871ab0

SHA1
f94794cadc8ecc29ba924f75f6bec1abb189f46f

SHA256
bbe17e371b3e4674d35e3d3c5a7d9d65f4aef7f00b244d95b6ce8e918c337dbd

SHA512
b457cd9479b88d6820e4087bb5dc17529c65d68ef27c06988791b888a1abf57eaba6cff38001c4bca607c9e448e321f4bf996e1b6481552b665f66e78959ef9e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d787415db2f513a3a752340c90d8cd1d

SHA1
24892880cb9cafaebca8ea22e794035dfd8c494f

SHA256
e0c82b0d955be7a878ad5cc6980c58d6bc915f967bf4809a574b5eb455ec292f

SHA512
4ce53ba2443429a1d5f18d1595e7e1c3df90f9535a3f8ba4ff87428252d17494dd89e0057a4bed5ea4fb62fa9a6f59421e132f7a7d27e9e7f6012ccac942b667

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
aef2ace7dcd745e45925ee16139692a1

SHA1
d316c34decebb0d818b0e39245f04f977f01694b

SHA256
c38db4e468f8652d728665c3cde497193f2eae75bf4e9f4c43605adced66db51

SHA512
3898fcef927db86208c0f81c9a72a6718a305f1b624e24356ae023b6b59ada65067a6ef10cc15aaf8bed610e7eca6cef26b41e897062656871043fa56b189007

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
910adec6b831b5c48d6302fed9b534cd

SHA1
5622d808156f96f9a2a0072730f852f5e5d9193c

SHA256
8cddaf8bc1f701d142f8a7d2e06f72bdbf9c445fceac325009a081848505d13b

SHA512
2f34d906d7f5fa3910901dbbef2e367b27085b734a8a6a53761cc14d97f65fef7dad2e3cc3e386d10bda296aeafeb4508eff075a51ed47f30397fcafd3c4d070

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0b0b90f943ef9f84ebfa4698f2b2fc09

SHA1
13ccf8ed918a0769b89ddb447212cbe17a688b17

SHA256
58b85dcde9a0d489836c860bd3ba4affadff5149364f77372cd326e8fd89ca3a

SHA512
811bfd1d4e51e9ec73c1e554a4e8e917c452da6d0e3dbe9a00f49d7c951d900e4a349fb0a225110dacaf6170dacb80b96bd8ac8dbbf7f9299d3ba940cb1ff731

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5aa13db1872882261f4145b50db95456

SHA1
e9c14b4616e182c11ec1b2a88df18a9e4d86dd36

SHA256
9a3fc239c1e93ce0fe38b8c4d06e30f2f20d0da6cf8ed80b10a9356f7412c614

SHA512
bce20f54d1f34bd3a7e8e0aa13ba9dc529810e7e3c8c5602275b54ba9ea0942011453ae0d0b3aa244d0a6be5c118fe5f2187ffe85c865e0822e646d550023b1f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
33071200bbd0ea9dc37a9ed877fa5bda

SHA1
e477ac43a3a5da4768b3fc3c2a189d403118d239

SHA256
8442d13a27eccbed6d66a5aa96461322cdead71c323b5e7bd2bada8712d335d2

SHA512
52dddbf4cd63c7d7cf18a3f279018e6ee7427f2fbf6e1630171d246bc81c70be4c4fb507b2dd432beb0f90463e1035667e48bc3f2db9f9ab2c7aea2cce697b73

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
2e7f579639cb89e6aae0342c7ba61d87

SHA1
12b42a37f4412becc25aa9905bc26a481ed60159

SHA256
f8e68ea0171a440941b8ee3587cc2ac7adea8264b3e51acd150cd4b940f2c4eb

SHA512
97a133faf87f49eba29aa6ef8bdad02f77e9d7041ac2410df2477037bdee0c24f967f8f522fb541ab3ac10e8e77c8e9743b6d841ec52be13fba67ba6177d63e1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
f4b55827af1174ba5156085111c2e51e

SHA1
68cd94508f1e24b1a9e54bc4d0bd5c6631364aff

SHA256
43dc2bc8b3c29bbe8761661f73b3c2d8bcdedffba8eacae63ed47d445b9ca9f5

SHA512
46bb0d7cca4302b118809e718c2f26eded08cfb37f6987a3bce0aa63d4e3492184f1d83738247caa9212890c4e6530b7baeba92db5f922c3852f9fb554d8bb60

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a6fba1ee52d068cb8a4b8271214905a9

SHA1
a782e2b005198ba0a7259f35b671c02bbc26ba08

SHA256
8065e5f7ed6ee706093a60c75e7464ecc0b11afe4a2a499587d9d45d47f553b1

SHA512
d169cfed216b4ccc54a713432b189e0927b6d2f3e29408ba4c6c7b8eac72d4abc52b3dc861967ecfbc69909a354f946128b9e603b24c178671f2c8c733e251fd

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9ff6b3d213a1b89b2e20aadea29d6123

SHA1
6fe8e207fd0cc36eae077d4c4fda238fcaf47557

SHA256
0442169bc4c8d83215a12de111c8586233dc70f23fa6567b4efe10f3a986f1a4

SHA512
7938b202e003ab23a35c77b1980109d4c2ebfe24f5806f987153fa2cbd916643e7258e97caeb713e3a985786df8f69e77429ff70c4100f337ea106e8e1d41122

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4824503f283af124eb5eaed17866ca5a

SHA1
8b4f76ad313d1e9e79f465556a8eb70c0ea0d9dc

SHA256
ba1f1c9784279ab3a68b2d41d300268d92facd117f435b8e83c87816448f04c0

SHA512
2e58520200a369eb9f041f8fc8538e317476ebcee29b493ff14d5b92350b5dce02b2850752d8868e7168384abe0e62d293a95a950586468ef4b91c33297145f9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b070df02276dbddb10aeec29b2d44d46

SHA1
59bad216fd9ea391b47d9875a361cbb8d5bf5c4e

SHA256
d9273525e68049a7e68b80a661d0a69a0b603e699099c96b73c845b23515d105

SHA512
aa1b9d4ab81537ad15cf1e06e5d2c0ca84b09a596b1ad6c0c4687c5c7a505b50b457b072289dcd09ee4be34c0f2b02d6df6529f9a52d67a18e69c4058bf985a1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5ac7830b6a0ed7988acce90f63434fd6

SHA1
e9a4532c631054661e1ec3426b08e96d937457f5

SHA256
9fd64d9b9c2e3721664ad02a082ef3cdff88f130897fa305b84316d4285b64b2

SHA512
4e70fd04f1e0f750d9d1e7756513e4a9aa9afc958147f63799b2eb952bdcf6a122f6d63853bffd2a5d3c785ae0c90103eb0983ad2d887d0b69ec9b35398a5d9a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7a6e6d64650a1137fa833bf60c4ba4b5

SHA1
cdd31392a33e53bf06800b2f9d488d940ca6cccf

SHA256
82210d83c4edb2e098177033df69e9807751556670e7b0ac501eca1a60c91277

SHA512
1e6144c6af1a6a8e6dfc4f5de287c2e1f9b2881aad63ec39b54a85f97204be8755d987615343f114535dc5e1de942d9d0ab92d9c771ec41d1a9b5908bdf0120e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b9355fe75b5ad827af566d62d60a3824

SHA1
1a2c2bc63b2c66af385fd90380db2378700dc8df

SHA256
ddbec73a86203ea329b7ae7c0f6248b1c9da955bfc205f5af650cffc2b613faa

SHA512
196de3fb777ed3b03ea7a0e18d8911e4cf53f6c000545dfd7348b57898cb794531b0e420c48e9d7c14a4f4d1580b82df4bc3a2222f0c6d57059e3a9aefd92cac

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
c2cd5e46b137b63f9a8e10ae71541c90

SHA1
9d353034dfe9fa64be2c52647618ed94253e2772

SHA256
c0dba68b600c4a6c4ded6902daea69542704f9f324b5f62e84b15823c2e40a78

SHA512
10c2218144a8750c423c0ca81e78fe219cd1c9857c0bb758bd2d917088357f7a426dd49e74e2942dbe5d2fcb1aae150c18f1191bc2bebe5cb25b6b3417616ac1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
eeb6249effec0c6010f47f3f9de9b6e0

SHA1
cdcd170c0e8351cb63cbe189e3e4de2ace8ff2b6

SHA256
9e0d8756456ed9f0ba159427c8f016201d547786c7dffcc5a77cbbe404cca061

SHA512
157515d4a3aa6754be1383365f4c141e1348f8dc8d0a99293cd9e5c7b110fa7517ce5f4bcd2cd4a337926ee47ee8456421a498a40829c55e7623cab06eeaed6b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ff183b9778bc7c61adfca4cc77c11d06

SHA1
243f0b6630ce662830a280b589da538a0592e368

SHA256
631b657a12d0fd6fe214ff265e46d0ad721c089c2facd7683008b19de6ceb8a3

SHA512
790d54648327d0d3b7ec0e472607cce5a9bfeb54cf4cfb32f52606f23007004fb085abeb048a08d6a7799efcd3f5255447ad871e221a6d62e617b994c4ee7dff

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2605c43cb7d9ee2c3ced0df2e1bbfa7b

SHA1
403c6bb2d8f29957bb0e2f5df76a150e177a002e

SHA256
c83ea00472d23a8d49a5886981b0eef192356645c622e2bc3fce5b93481fe779

SHA512
1eb8806155b9dbb6f4f17413024bf3726ceb9e6810d6f603161dd3fa7c607ff405466b6494bcbbd70d659aabc8ee945b5d2d1ed87a77a787a22f706a0fa076fa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
40c51897d73fab03cc6b08a774b570d3

SHA1
e464aac749da66dbb2dc6a555b508428cfefc1d4

SHA256
76a790e7e0557379b992607cb02b490b1219ec2f10657fb0014c2a9aac560bcd

SHA512
83602325496ae69461d78928590cad2524e1b92d0e20fb557e9cba7431ca385a82df80af88cbedc9866799463c80dbd3289aeb6af4da8a42292185a78c335413

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5253bea42a233594138b12c16a5cbab5

SHA1
30419164e9ed0000db17ed516d6816aa9fe2673c

SHA256
72b768318aef338bedb266ce04c5353815bf277d6cce7496fa3b14335777950a

SHA512
975ae96069a04703e7397ef5a49dcedb1e1d0d66e6c970a443972e6ebbc0374aaeacece95410d2dcc9de1a897b932e2a5190e2bec5bcd760ad9360a58f623b6e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3027e6cc2fc12fde7d8cca8e4692118d

SHA1
b1d5e7152885244a4bd68d483e6fc8ed9054bd68

SHA256
e1aeaf38a796c1520428f3db0a1992837ee1b05c13e64108e5885666ecedfbc1

SHA512
5355d0dd6f8e95990102ebdb111e2972e36ce4a2e0ed114c54f76786c277ae03ff6a9e91df19a3747ab0890c0675c936438f13c483cb5ff295fb5cd4354d4b63

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
89675d66cd3719fb22414092fd59e3e3

SHA1
1263519ff2aa9070e5ebb6cf210a4240c2f05675

SHA256
6af1f33fecaf01789588df1b2876612beb747853f321a9c37f81dfb2c899ae99

SHA512
8f1b6df71627d0646270a4a3a134b9386f18711af276f954d54a6768dd178ebfedf182dec0fa00d7437f5b24e378cb5c5d5f87a6b3198bcfec13c5bf6bf21f9e

Download Submit
memory/316-96-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/316-89-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/316-90-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/316-159-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1108-169-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1108-501-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1268-502-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1268-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1268-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1536-100-0x0000000000790000-0x00000000007F6000-memory.dmp

Filesize
408KB

Download
memory/1536-108-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1536-163-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1536-105-0x0000000000790000-0x00000000007F6000-memory.dmp

Filesize
408KB

Download
memory/1596-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1596-290-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1680-369-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1680-139-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/1792-499-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1792-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1920-498-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1920-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2072-81-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2072-82-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2072-75-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/2072-155-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2132-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2132-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2132-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2132-50-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2140-8-0x0000000002470000-0x00000000024D6000-memory.dmp

Filesize
408KB

Download
memory/2140-518-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/2140-7-0x0000000002470000-0x00000000024D6000-memory.dmp

Filesize
408KB

Download
memory/2140-1-0x0000000002470000-0x00000000024D6000-memory.dmp

Filesize
408KB

Download
memory/2140-74-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/2140-0-0x0000000000400000-0x000000000060B000-memory.dmp

Filesize
2.0MB

Download
memory/2264-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2264-150-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2328-107-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2328-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2796-111-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2796-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2796-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2796-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2984-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2984-67-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2984-62-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/2984-61-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2984-55-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/3612-147-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3612-433-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3924-38-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3924-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3924-32-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3924-122-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3928-500-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3928-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4300-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4300-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4464-172-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4464-503-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4884-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4884-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4956-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/5044-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5044-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download