privateloader | 52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/12/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
Size

1.6MB
MD5

74c528d588767e6c126c440d3b8373a9
SHA1

1ba260756607900e70d6d7d0c45cb3b72d7c1e19
SHA256

72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60
SHA512

2989be602deacd4ee7d19295404118f33b8400ed57a3d9682bec805ab689f9ffc53f1d530fb2b08aee3603fdaf3ddc7735b39633b361797fa3739a2a152a887d
SSDEEP

24576:S7ww87NKA/lu60S/wOBlka+MsWQF6BGqc281DWheBvPMGjOOl:iwtNf9/0SJBlkU/+EGq4xWhivPdOOl

Score

10^/10

privateloader discovery loader spyware stealer

Malware Config

Extracted

Family

privateloader

http://212.193.30.45/proxies.txt

http://212.193.30.29/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

212.193.30.21

Attributes

payload_url
https://vipsofts.xyz/files/mega.bmp

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader

Executes dropped EXE 22 IoCs

pid	Process
1940	alg.exe
4044	DiagnosticsHub.StandardCollector.Service.exe
1108	fxssvc.exe
4436	elevation_service.exe
1744	elevation_service.exe
4852	maintenanceservice.exe
3504	msdtc.exe
1124	OSE.EXE
3944	PerceptionSimulationService.exe
2032	perfhost.exe
1800	locator.exe
2192	SensorDataService.exe
2892	snmptrap.exe
3140	spectrum.exe
3324	ssh-agent.exe
1724	TieringEngineService.exe
1064	AgentService.exe
3840	vds.exe
3572	vssvc.exe
1972	wbengine.exe
100	WmiApSrv.exe
1580	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
36	pastebin.com
37	pastebin.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\wbengine.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\spectrum.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c20b9b3465f51a6c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\vssvc.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\system32\AgentService.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\System32\vds.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068cfa90b7d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009756d20b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002bf4cf0b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7851f0b7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007119f60b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fedc730a7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069d42d0b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4376	schtasks.exe
5084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
4044	DiagnosticsHub.StandardCollector.Service.exe
4044	DiagnosticsHub.StandardCollector.Service.exe
4044	DiagnosticsHub.StandardCollector.Service.exe
4044	DiagnosticsHub.StandardCollector.Service.exe
4044	DiagnosticsHub.StandardCollector.Service.exe
4044	DiagnosticsHub.StandardCollector.Service.exe
4044	DiagnosticsHub.StandardCollector.Service.exe
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe
4436	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
Token: SeAuditPrivilege	1108	fxssvc.exe
Token: SeRestorePrivilege	1724	TieringEngineService.exe
Token: SeManageVolumePrivilege	1724	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1064	AgentService.exe
Token: SeBackupPrivilege	3572	vssvc.exe
Token: SeRestorePrivilege	3572	vssvc.exe
Token: SeAuditPrivilege	3572	vssvc.exe
Token: SeBackupPrivilege	1972	wbengine.exe
Token: SeRestorePrivilege	1972	wbengine.exe
Token: SeSecurityPrivilege	1972	wbengine.exe
Token: 33	1580	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1580	SearchIndexer.exe
Token: SeDebugPrivilege	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
Token: SeDebugPrivilege	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
Token: SeDebugPrivilege	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
Token: SeDebugPrivilege	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
Token: SeDebugPrivilege	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
Token: SeDebugPrivilege	4044	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4436	elevation_service.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 2028	1580	SearchIndexer.exe	108
PID 1580 wrote to memory of 2028	1580	SearchIndexer.exe	108
PID 1580 wrote to memory of 2236	1580	SearchIndexer.exe	109
PID 1580 wrote to memory of 2236	1580	SearchIndexer.exe	109
PID 740 wrote to memory of 4376	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe	126
PID 740 wrote to memory of 4376	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe	126
PID 740 wrote to memory of 4376	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe	126
PID 740 wrote to memory of 5084	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe	127
PID 740 wrote to memory of 5084	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe	127
PID 740 wrote to memory of 5084	740	72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe
"C:\Users\Admin\AppData\Local\Temp\72afc3f26cacbc0b9a5dca8a10186451bb91c77fa445ab15639e96623dd64e60.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4376
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4852

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3504

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1124

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2192

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2892

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2768

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3324

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2028
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
467b11a376f7671d2061938bc82746db

SHA1
1ad93f5412cbbd0ce86ac0ee88d9da97870e6a1d

SHA256
d228cff5a57f394f73844ef112fb3533c01e080b9a4a697accd9f7036fbf6196

SHA512
443985d7d301873e2124b1e9c6152c0460a842ad1a89969d4aec13fff373f91df452bcb333f9f59a5283eadec02b679c2a33b4112c439189457a26e39b4b969f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
be330775928c7c59f3f7438ab2e03ba0

SHA1
dc42befc1db153fa8090a95497883d21a0126ae1

SHA256
1c8877cb031030c97b20867e1cec303b3db25aef450e84de3d336a9ac6c5239f

SHA512
c3c1e5d765aae2e1261c33f478e15cbff81c8dcfb8d5e1d51ae06dd8d4926370205241a3b9001018cf8cd13a35d2fdf0a723ee980e3c6e5765727bb08a9e2e9d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
e7bff6b82986ec326242bf1e44e861f5

SHA1
4ce7fb5924bea7f27e37c4a5b17ff56b45f4d715

SHA256
0b8609cbc9724b7d161a614621da8b123110e06e3243016b429f31776fe05950

SHA512
c09ef40375c8583712d651c3250981da243dfec9bffcfb75adab3e11709abfa9fa795942d2923d3acc046d804740c95d0e34cb5476589eeffc0d188a70da36b0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a60aefd8ded749d2f6ffdbe32d2b989d

SHA1
f1a59bb36a0e14e0bf13fe9b378307566665480b

SHA256
5907f870949a48ce98f128a5ad55dea6346a1b0d5bf64668d198b734ece05387

SHA512
b12ac28b48dd6a3635d92764bf674bab2380914717d95f07097277bfb9458a096925b870c46bdad26de3c4eaba356f697eeaf519ab430ba3683665948aaf2d83

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b6f7c874c262a3d89e060050dcaaf6ec

SHA1
2c7a97da055a75850f1da3335f4f5bfebd8d071d

SHA256
61c7d1f36226a9e8a17625b2e41044bed8c3124be2b67e4b993741f6ef5a82ec

SHA512
fed622c4358af7fb2f40af745ded8cfb5c3ed52e3a2adfd5345ead69c822c168a7b4e4953f8bd1fc29719e7c3ddce3045e748804970e35792912eef91e43d2c3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
cf73bba92a7cd2e887099e4fa91f9d92

SHA1
8f84e079a2bff909497cfea576fa571e715e1ef4

SHA256
a84df2dbce7240bc18ce41d622a899babf197860d0fe2bb7a06465fa4c29ab73

SHA512
441cbcccdaec323cd2b5f1af1cd0eb6bd38260fa1df7747651f95c248b041281e84565442150420a068cb5db242d80239c9521c370ec0e3add6464ce166fac8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
b769475d1dc394b3c7a9737cfdf960e3

SHA1
9abd3835c238bf6f60ff8425e5807784b85994de

SHA256
322e8c9b10e04891446dcf9beb40f10040126d9115684463463821270d524a1c

SHA512
9b9a9a6a5e9eefdee104fd8998c7dc98e70a13ca5c3a4504ecdba567c3813bbd1f8b64477cfc413c6e632ec13dc090750d1263f8138603eb364a910ac0679620

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2b23ab1e1590ac2857433daaddb1bcef

SHA1
13ab993f194be242e0aa4d696353fd7c2dfac074

SHA256
0e3a3174b5848bbb28660acbdf3d0e9566282619cfe61bf182a251276f38de6b

SHA512
545e16a671379d3c395da7bf18e07fa2876f7618590670f71643bd993794fbad252e7494aa9c55f2eb30e6e3e14210c313e18b5f4fa010fe23b5531e782d5c58

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
90254f4c7ee05e68a1815450fa548ae0

SHA1
5d5bc9bc313278720428203d203b795396e4d235

SHA256
98b6e4fc90bb1de2679506181a53254850a0bd9d890afad3caf5e0a4bd08a96e

SHA512
149d1537bcbde8ff85cb259111890a1f01554a22b25d5cf875039cf85fb7cd060f73ad02339c6861a75cdedca524040935e7086eaf3911be88e67f8f7be9e6aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
60d3d2e171d780af7963d8b7bc707441

SHA1
6fc91b1f2850f635d6cc04100c2b0536a7e2ef28

SHA256
f6fbfee8dde1aa6f76cb67deccf75683e0273cb4e33cb7eb1b1719c323f609fe

SHA512
17c2a6e006203e55e6fdd50771f61ad00210bc0b33eaa6e732ff793182523a499e2ebca762a5b2cb5322fe54a97be46b6704110072bdfda31900372d71a91046

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d1fa5aa78db2b9729b63297170cbf981

SHA1
25b00c92f9a3469cc9becff84e7831581eb6f703

SHA256
8ff30e481a3ed2044d82a80f6883de9c675a53ee96004221e278b975c3509873

SHA512
bf14de6e5a868ef3c84678d528cda348cf19ce2dc26ac7881141851d05b5c9982d0b46fcbc980774d95bcdd14c3c3a504a7162d792dd679fdc6df7254764eeb0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bb52bf03bdb7893f7b770c9e9fbc441d

SHA1
ca88ef2c064e060fc5118c037bc63b4a54b44502

SHA256
c7fe684c69cacfdbeb8634e092eab4ffcf4c41927ebcfd78314eeebd2978cfea

SHA512
38004bf3cb2cdc8a87a3586f6dcfd968ea4540d3b4839296fe27470b44f4a86d69e8a9fd926e5403d9ea03d0bed4e8174e50cdb7395b72a7af2fd2c8167d8dbe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
486f39eea37eebe98ee85388629ccf4f

SHA1
9a4becfed2b665f67a3930e36f20d35ae9dee03b

SHA256
356b24be51d3c92c33ebe7140511c30916561c51f514383e0bc8d993eb06849e

SHA512
ebc166ae31b3fb7bcd4570e35e252180b0db5dff9c4bc46bcbaaff1f07951567b5bed6297f719d40408c90e5492ffb7deff9734981f89741976365bfffe3048f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
718eb98cb56a9a7e4c996f8838d9d2df

SHA1
1c0a5ff5764b618b9ac29f73f24060f7d38ab3f5

SHA256
9f170b6206655fb325e450cb22aceb195ec784d5f39673b72d106397e702b54c

SHA512
443c4d0c3411f664f32f476d9474cb1ecbb1cbc273942b0989d93988d5d29769615ec929e47ae531a568820a0b2fc180960022219516588ff1cbcf3a06cc00fb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1b250430b511e3829f60d82ec0ff869e

SHA1
dfb8d5453bea891d9eaf0e67c163ca747fff07a9

SHA256
8987932f0e79406625be104c88f392220de519df2c5cf19637bda4fbf10e4c08

SHA512
ea3570ef7a70dfe091f8093d65fdd1f31fc2c02cbd74941c512552e2d4ca1cbf18c622d7248ebd708f327bf4947e554e8e486222401f8a04dbfa502da7283ee1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
aa716bdd8d3509e815f85136bac4a6bb

SHA1
b34b328307b4cfc99bbb71b4cd5063c5e32549bb

SHA256
a33f71e452b23526b11f5d0e1a6e1bc07305b13c011479b8545e4187fb455820

SHA512
bc146382e4694e15a99459318b2ca07fe212b3b5ee0646f1292e99f589b50fe4a0fc5da329581e0bc8a92667a69b0db1794614b0ea5bc5c497ff27ab2e60f87a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
516bed0ccbfede5ad9ed244c40ec1a7c

SHA1
cf80d4eeaebed311c67ffcc08c97f0a2ec975055

SHA256
976c7e77276df1879c97cb22ba8c2526413638901dc8762a43df332367eee2d7

SHA512
e149c1a42563954a51003283327517c6571266bb88ef5f7e6fc7380a2d71de3662a980022a81fe5b726742f09ae83104407ca035cd08a4b5230ccdbfb1c17838

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
6800e98ca3b0d617166b06a1af75ed57

SHA1
25668eda95e8f46e0a82a0e9af56bd6b44076e8e

SHA256
7d1d1a467fa9dabcf5989428e131ef8a354f695bc30f3dc9bbe29303584ca9b8

SHA512
c128f62c33a6cb83e7636e264129339f83df814a4f6291d7e5ef07cf9e5eec12a867c1b710416af8986f3dfc32189371adfaa72d28b6467052c3a629954243e9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
469002f097319d5277f394519b18541e

SHA1
84258c248ea1a736e98199cdbfaa25d09c7a223c

SHA256
b716fec5dad7e10e696e071004ccff25eb9a9c3ef564da2a5d8c06353c608991

SHA512
f2e0f75a238b33e26b0df26b8a07fe0d053d260bfd1574388e3896aef07b01621915891220595470956100c12d0907ce279e7f10ba785df6faf7d8579f5b0957

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e318a3a98fdf9f6e76cb6c433a526045

SHA1
846365afc2da828a5e9e3617b4983c0668022d89

SHA256
d05a8aaf6c7554622cb3448d4e6e699a2d63db38f54062450978099b0994c4cb

SHA512
3f2d18a8c02b5c1507e2cff7f0a5e18a1e31a6865d515017e7c34c3f8e4eeae8bdd10b1ad7cc78c15246a4e01a2d0beb6cc58ad7ecdc950bd507df5f870c78ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
2b6765d9566be38e83161eaa02660f76

SHA1
89f6016b5e85c9641abb558e3843467f45cbc99c

SHA256
4ee421e74200dabd6df42d5689b464d8ada7f1d0f9cd48b6877e0d31f455836a

SHA512
ede82f90c1d9f9bc0a477a8c34398ec291f3c8a3e19550be2dcf54f845ad48ea30ccb4a480549740b13b12c9b331857150f9a72325ab605343941bbf27fa6ce0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b65d33f3ed1a3dd033702d87b6d4d66b

SHA1
dc8d1f823adf28dc72edaaff408306782fd6d765

SHA256
7fc4009a57205f91ef47a5408ce2e094c985c28dcdd067195699defee9befd40

SHA512
2aed8d22bb0b4d555402f509c35e03f8c392e774ee23cde7eff2175b2c696aa9333a18868e6c0e4a0fc0139fc2fc264eba05c11b9d8afbf997120cb4232648f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
1394f638dfd1c24fe7cd22260df72186

SHA1
0b5712dbe9a114ba98cdbf72953578d040fb5c40

SHA256
ac7171be69eb7ba2e84f87c6c0aac44be01d8c6f508b2e4fc0cd37ac462b2013

SHA512
1ac2e163db815d88499965687046c7c0acc86aa2feb765397862ca86211fd9e9eeb186ab7718d933ec22677efb8cf8d4be260051dcf2c9646988e99fb2313a71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
25b5be93f1e0f3d94a15be3cb5856e8d

SHA1
a29b348e295b4860f6caeae2e61a2f7ae81ba2b1

SHA256
1fefed3be06eef2ee38b77a224378d40426058267b7b0ae6b055c5378e7a0506

SHA512
27c86dfbc22977f2b46368dc617ce11b7703b35b906d8a5981670f19f625ef7af563e021789cb511b08e6a0cf526ad466280530e32f18bfabbd4e2d9f7defc88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
43f98660475914069f2b574c8dd49cea

SHA1
7d5d974c6bcc6b7492dddf7985a00ee04c53afe1

SHA256
69f7f0428059c4f00d238f729f9741e2aaaa51ec9a56292aad30bb8a4fbb5b05

SHA512
a6e5db4a6cb504931e8cfcacccac625c0550af8448261b3f4d6a2741997e29683fbc5d5f9217cac76ad8d3030326586f4752ee6d509a6b60a28048517a95134c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f29c2f1ee46b9772b641432c8257b155

SHA1
1633e1b69b3472fe5c5e4ad9fc8fb4420bf7f4be

SHA256
3c28467a63f45158a5c1f5d22a68ba88480b8141394abb7f131ac532416a1f74

SHA512
1fc904038331ba859e6f348b11340bccdf7c35f541be6813314addf1f132559e9a1a57b96c08635a3d4723ba281b778ca4c2090e9fb204604403fb919d48913f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
2d1f9bfbaa336c2111486ffd488d5a59

SHA1
e53a9a4152c47e4d49bdfa7ccdfb5f22f50b4069

SHA256
b679d4367a971d0e821324a1e87d24925bb1f19e649a19c1db97f275199e8cc8

SHA512
4af3900047ef119c8c7dbba4c23f4f8713ea1f3d406107730d164f4632b342319dd72ad5ef4845f1fe85c115252a5ee8be8ff8994e679bc53dc187e883c39a82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
a52bc219efec07111284f53726e439fe

SHA1
2c4d24e3ed79573c9ac19e02eedcd2542cc4c60b

SHA256
3f2d5ef08a24bf6c85d1efa8089dfe8ae194392221afead3eec56732aad63bd9

SHA512
d2ede6ced1b675c28109d07288b0bfdb00267b1e9566056947026081b6dcc2fdf2aa08b128749121a04175de4ddb12536c72d3ef10033129f01837eae83496f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3a2595afb2b2a8bfe8b9ff916a2777f7

SHA1
a8637516b8e9857138e70fb8ebc3d4d6bf4901ed

SHA256
e0aca2fa5127699a0cd59c1cb18c06c7d891c8bb9b91d9df66e64f7d16821dea

SHA512
a6859d80927b59d9f1f23501e577e8b78675b26b07704e4982a245dc9b3227c2c427ee7f73dc977892e96a8a727591746dd3832694034dcdbd6696c4136494fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
db74651ed9f10c4dd5e6f32df7fba8d3

SHA1
0fa68bb2b016d658d23e0269a943ddb5d106921c

SHA256
0f23cb6589c7ec24a9e77bee4600e5d3de6baab0763a471536af22d7f86e00ad

SHA512
ece410aa8cbb8e3b8f78ab31909d9f2478d52c75e6702ca9fcffa3da8a2fe73cdc6c022674da7a424303ff1989f1e20fc0a2480f604000b03a6b1f0c3d90d5d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
2254da179ff21c0aaa639e416f543ae5

SHA1
44947db48758b90f44f1430dd54ed487747654e4

SHA256
e30bf0e7f1d5d8b5885de695f44a09e970f81348cc1a8b5581de9ed014379b3b

SHA512
61a500f6801a64a6e09379cdb90b48574e3e7d5bb991076208a98630667d68536c26fe628056f1a12a0fbe59a168c099516d401a04f0be0dfab2864b931aa3da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c60f12c640a335c94a5b92812c0f4463

SHA1
88db7ad4fc3bd2f9075e5388d621d0ebd68de8bd

SHA256
3665253d32e69dc5c1598ecb8144f8b3aafffb4a18a3b71913b4d84fb8c45823

SHA512
ba25026af60ebf661cdab0ebd05ce47d5b3954c80bc2fa7b6d01a52848c0ea36b9a5758d518b62457f560924c481c1a82b8f62bd906624f46652a27295b417de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
7868005093944af07c5f4dd0ecd536ad

SHA1
d1d5ac032d0671f8cb64fdaa0262398e46a190bc

SHA256
d299daf277d072c235d9853fb0748703b04076172938f31af655256ad8da1da3

SHA512
0097aa052c7decf8624af189e04d635740809700d0851c9d6807274d32ad11389c34ba65df8444cd8feac63237b4d9614b98654ca396e7d9a3540862e516b50b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
dde61d332586288aac4b8f9197138fe7

SHA1
0981341973fcc5234a13dd55e638d819bf22bcbd

SHA256
8ce75baf9b98e6df79dcd721feefd645e050ca6809b1178d0872063a93ef2b40

SHA512
668b3c4f83b97238d25a93a380ad8bb056c254039126c5e25104f6fac2e71aad96207b9c04c002b2eb009e1abf6b716f0559135dac6542116dab8fae4fc62407

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
94d87b8e0f49fd68358338d7d204603b

SHA1
6957bf20f5568c3e131905890a1d877f4c5f8f4d

SHA256
59645a11611645c07fc8c1a679f37ff05f9ce30ca58940af79f73674434f0a8f

SHA512
1d305399fbfd266c17769bd0d0fed418b6a2a46e40eed6b706cc31812fb9961a0bf8507eb53bfa2f1ef11659e0fa7a7e6af3e28fbaeb2fd98411cbd1845f294c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
0a1eb08560359a8d435b372cf07d59fb

SHA1
8f227069c6193dff2235ed4b016947fcabaf6484

SHA256
d76e419832da42afa9611e7e233a314ec5ea86b96bc5f18d50b58fee2474ac48

SHA512
65cc486a0f392dc444e68afbcabb7cf98ecff2ed33babc6b9173181301fc353a739bca00d313e69f6deaed1d0b26da27ee017ec1687e6ca8608b6cacefdf609c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8043067dc26a97809f2b51e999b4d1d3

SHA1
11924e102b19a523a6503a249a4e0081dc11c8c3

SHA256
7c3e492a10033e281f64a433bf594f95567f14f52649f90601beadc2aa1e8542

SHA512
3d780f6656717ff53386437e63b077ed46bf202bc03e39e3805ea39904de21adafe39bb42c0f94a35ad16a77a9427869c562f8994bfb2cec54a6e91fb254b94a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
5c960266ac3bf8dc6e5592dcaa5d3c83

SHA1
afe894c6ce5fcce226c1af57d47bb1665c6bcb39

SHA256
40d93e43257e5eb3f73f54973e43ffaa4bf2d9f1b7d22cd8f604268d569f1c62

SHA512
0e3b53cb6d080c7ead27d45d50f42575092489baa92e1055887ddd2af654dafea6c09d54824bd6bed44c88b96a6a30cf24e7a6fde0ff1cf8b0fe7086df0fd611

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c046c10bb474e8e0ce64cf386924d74e

SHA1
fb1af44133396d7e7e413afa443d4ea1dae20589

SHA256
d73b12561d0546de7742f2857cae80bbda195842ecd80e87492bbdcc64745e1e

SHA512
fbc6ca78184101b36ff3afc4f9483bfa8bb21334418096b9f90d478108cc9bb269f57698d01ebd04e78aefe02d0bec7d71159b38322c5d82d1fe6706b7f8aeee

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
61294c4be8de07f0aab9371c3a3081b0

SHA1
527f84b75bf929eeb6211b6577c1bc6cb7b4d0dc

SHA256
ab376c69b5f9c313b8a569460519c2d08f23cf4e9a7ddb068ae001e874bed319

SHA512
a4b7a94b807cd712243c285ef8f865fb3d5fa3b63d85e90fb8a83be14175a4ba73d18a673ecb3e2417d21833c5da050f10b34c6199ff836d0f28b5775ad71f78

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
aa1210a74ae85a43fa412d98332c8b49

SHA1
8c1b0285dc66993e1c29cd30aae9dc0cfd37a9ce

SHA256
a9b826842c9d1bda4af05fa48f3733992c7fa771f07ca2d1312f06d97f91c20b

SHA512
cdf8dbe5327d767d2f14febf9f3cbed0c6f53aa1d6ea085e0424c59a3fbbca12cdc99db946ab1b29e97e2709af0f8fa56111b46e0f20a55423d67aa5fcee56ab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
399c62048ae509260a9011b1e54f0313

SHA1
d4f77a87f623ef473b2550ffc952be61b7366a03

SHA256
9ee7e7c7a4fb3043390393d769ac902b49e035fbbfd7f617e0b577272165f056

SHA512
7fc4ab408e754e571bbd9fa8e8b7085b9daebe3a2dd6cdffcbe2ac691b3864e5c73b975e46a15cff7bb10a2164b9c516e7321006987066786405e8db828c228f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3e2b6d8ac74ebdb385bc3b005f48f956

SHA1
a97097635829b8309fd8de03832c4f51ed6290f3

SHA256
a7282365a5791d5053792312614700ce5ec703215c45be1f1bead033e0721057

SHA512
5ba1ec0132568cb2844dfa581b8ef2f702a951dcc8ca2f6b0a26244bea914ef815da6c8362e0e7c2ed96c28837feca17844c2e96cf1ecc548ebea78006326229

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
e1578a2e7fdc488513fd3fde43c2e92e

SHA1
9918cf21dd2d55ea66fecb01c845ff6dd6c17370

SHA256
b948e5e7813c009f7a8821c1e7f39de6d4ab8b09a67798dbdd737efe3f561bf8

SHA512
bb5f18bbc0e197010c8a6671e2c66ba3ba6d8c664db0a0c3ef80c4941b43b831706ba76da8b9f1e2dabbbaf1a7a4f3140e42d53ce74918f2764432a49597ca59

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bfa7779149bc79ed041b4f065646decb

SHA1
1c234ff1d40cde568decbf5c944da2e96ec7e079

SHA256
e6e43110830cf5b03110783f650cf8a2aeb298b38ac37d1da190838c8ddab826

SHA512
fdde6e6f3c89b91f62fdc21586e68ff9df87aa5a7086b01e1aa4c12b06a7a14efeedafa5848737d2fab6f4c7d82fb30da7a64473e55d600e6ad091d77668e6b3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
978e92b9ccc8ad062d408bca46353a3f

SHA1
21228eabfe74f0328e9db4c35e653c56f2dfd68d

SHA256
0e3ff725972612ed0fb0e57907bbf88863e439ad6b8d75a33b0db800bea06eea

SHA512
f8e8ab13191ad2b225edadf629ed11b3fb4b5a3f77146fb9341cea309a169ba82807b213d7ed1ffe2efb9600b863f200ded370fa8d3239d4dbd8d6cc6b721563

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
631313173eb925b87ae67cc61de221c6

SHA1
57469def60570515e30ace7efb41826d66c46de6

SHA256
d6300626929b16893d83b7c96b10679fef5ca14755aeda62922027fc69f0f3fa

SHA512
963a1a7f2ac9ec1757b563b72a69e1c1862a1a210dec4886c043e61e2ded436176a8fe8dc68f8ef6f239eee4e64266f51175526238d34494f03e88edd55938c6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9a834495012e7410da60b2f8aac135dd

SHA1
0ef22dc61a5306e519091bdd4ac3c53b5b8bfb85

SHA256
534219df4dca09c66180a5d4c9e2da22914f2c21f535620daf4f4f634ee36d18

SHA512
0ba1ccb86d9d0d9bd60072565fb44f5d97d71090b401f8bd1892455dcc49dc9cb661c2f55026e545d3839f194a07ba7485561ec3599b84258e3c336b587f05d1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
0d658216884aad465e12549e7e5837be

SHA1
6ccd63a5020ede06d0f67cdcb1cf19b2697942fe

SHA256
3fc5d59d6a1765cabfbafe6f3d05e1876afe52659dc702cfda4940171ca6496a

SHA512
3790f84bd4b3b78497796911da171ab4eb3467abc3b4098fca68eaab06c76b94140211afff9ab5dd790087012b334296643c8d68fa27f0282cfc37e53af7ea88

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f7380f845bce384ff327433d439f2208

SHA1
886f765bde64d99324102287293b93d9e02653da

SHA256
2d2c6db8aa1328f7a7e04f1418292ea69b4c2da092c2042e16bf3bf2495426ea

SHA512
4334e46b408297c37af757714959c92fd56fe42555ab36bc84b5c009711fd4598672ec64bcf33fbf5698b687139d89d656080130a859e3ceb475cc743ae95d31

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
0a720fd8992088af28a945be9e4755d6

SHA1
033b2d419427e1208e1bfee393677aa3af971e7c

SHA256
0de2575675699d8fa65096e293ea0fe08d6c8447afaac5f3783ce2b0155ca9d2

SHA512
6bc7d39a5aa308d3847b58ddc29d7339aa9f5baccb14c336d7a4c43bd9b1886f443951ea8f2a365ce269e07e1c2f4456882cf3b7630c3cc6dcefb4acf1d6695c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
2e829daa46cc30e187325306fce23740

SHA1
8b884ccdc2501f09c4240db2f06de3cd11ca1b9a

SHA256
1d78a762f96ebe57b8bfc16832f594f8229365abd083e0cbb5bab82ec8b01623

SHA512
b3b420ade2aa2e024d7f8367ac2d8e90fb7936e1f5fa845d9d147423ddb1e26719055d7803498c9a78b2ec721f7b126e69a1ae92ee9c7bbdf28a6cc0cff51b3b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
50d6e9e0edd30182401f4fc4e19c6b07

SHA1
507fe3a50abb421f5a668b3a84005597b5e964ec

SHA256
fcfe0498c89699bc503ff2f1392fb98f491054ab35eae733498dac0d1a0cc2b5

SHA512
7908824d538b8aa7cc99d72367ddb706f8e4c424540278c704662f7df533f8643176525dbfba076d9b412e0d08b2d80b55c3111bef99d597d7dfec9b68a778b8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
23980b74b840adee4f41027ed9f29c35

SHA1
47713975b9e841bcf4087a4e91be629586122fe9

SHA256
2c736552b2b091ae5a960783dac593c9af7c373e8d5ecac0f3ed648c83571f03

SHA512
a17e99f93f10469444de77198495705dbb302792ad27795c8780ca245eb1869f7cd2710878345647532c3f23f39241c124dcd60b4f4e66a6603223fe6ac8218d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
05c953543f5d317b2fafbff53d882d98

SHA1
35ff04f6905ac43298b9f7f2b4ae45a5ce82cc1f

SHA256
48afac4d9bce9a0ba85dfc6da416aede0c0fcb2566e74f978b9e4aa46eab544b

SHA512
159a2ea9e9bd42962577ae25793891debdf69c70cb1d07987dea1894eb343d039592278713c2919171eb966a37bda4d17369974588d682ae9d6d54843d2383ba

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d178e63bd2c3ac546e4a49a29b208c7e

SHA1
9bd34888735931bc65750039beaa451b61a7d07d

SHA256
4514ae477ac1cea580ffbb41cde02018fb5a22f53613a0c355ad8e15d75b0e72

SHA512
bf5e47855303dfa1021b9dc1ac2a98c48ff831349a7bf467b7d6f837361385f188cabf85bbe773e0c8b878264f00da8c0a4220f84eaabfd1cf360a900ae7257e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4e436664300ceae4871e663078b2b311

SHA1
ba38a443cc9484d1b2d6d9cf53f275c9c8646f8c

SHA256
fd630f14e07e816fd63661d9b31fcf253f541f6a6da39141fc1e846c18ff9ca2

SHA512
e92ab08e3bb084b857ddcb643dc4c31e7e25a170e558857aca6be43de8396c200dac5382b3c7956b15cf3a16f5ac2066c8023c10b46d3eadf1b4812838b08ef9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
2a01ab30c085ac9f7e0877c426b134a7

SHA1
749e3d06da2020a0956654206311985f7b14db33

SHA256
6fa535e5ba9941be76c089e511dc33cb8f691a5d0deb29c72609bff01efec38f

SHA512
fbc0c8aebcd4372edc278de3083ec39255f8911f1cd1139a665d6a0b26e565cc7e556793f0efe93a5f807d7453a48c058df736b3960784b723b152233948df22

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
07a8163bda41217e1e2b609518ea5226

SHA1
61aa67d657e051801794a5d6073c26f7184504cf

SHA256
f72436ba26a87160ba46d94a5593cd1349aa1c37778826338b771741a1c122c7

SHA512
c6125f48d5be51459967ce4b54cee7939607ef9d38c40fff7fd6a231909d060ef724f18f0e3e1bcab5022b43d07e7c66b14f5e49b1c0d92366b23265be40d415

Download Submit
memory/100-211-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/100-456-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/740-466-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/740-8-0x0000000000BD0000-0x0000000000C36000-memory.dmp

Filesize
408KB

Download
memory/740-1-0x0000000000BD0000-0x0000000000C36000-memory.dmp

Filesize
408KB

Download
memory/740-74-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/740-0-0x0000000000400000-0x0000000000649000-memory.dmp

Filesize
2.3MB

Download
memory/1064-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1064-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1108-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1108-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1124-155-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1124-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1124-81-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1124-75-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1580-212-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1580-457-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1724-453-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1724-147-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1744-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1744-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1744-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1744-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1800-112-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1800-234-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1940-100-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1940-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1972-213-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2032-102-0x0000000000890000-0x00000000008F6000-memory.dmp

Filesize
408KB

Download
memory/2032-108-0x0000000000890000-0x00000000008F6000-memory.dmp

Filesize
408KB

Download
memory/2032-101-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2032-214-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2192-324-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2192-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2192-455-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2892-119-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2892-364-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3140-123-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3140-383-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3324-436-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3324-136-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3504-150-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3504-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3572-210-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3840-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3840-454-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3944-208-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3944-98-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3944-95-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/3944-89-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4044-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4044-111-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4044-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4044-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4436-39-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4436-33-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4436-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4436-122-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4852-55-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4852-66-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4852-56-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4852-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4852-62-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download