fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2022 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
Size

2.1MB
MD5

10fe844edc4fc5dc0d981aa503370c17
SHA1

a5fcc664fc647c273190adc2701ec7e07ae69bce
SHA256

fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd
SHA512

336312d886b319f0ffb19d68bca66a2e130479958f579058388cce086e186887f4956d4a4786c81fe7ccfba5fa5dac08d4b00becea9cf102d02cbc9231ba9203
SSDEEP

24576:ocCT67wHqWis4l+jIACFr5hqjiLDpSJDN93pqb6W8cU4gLQO6sqjnhMgeiCl7G0Z:VCpn8t74iA3qb6W8cU4fDmg27RnWGj

Score

8^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4084	alg.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4224	fxssvc.exe
912	elevation_service.exe
788	elevation_service.exe
364	maintenanceservice.exe
1464	msdtc.exe
212	OSE.EXE
4564	PerceptionSimulationService.exe
1888	perfhost.exe
4900	locator.exe
2020	SensorDataService.exe
456	snmptrap.exe
3676	spectrum.exe
3272	ssh-agent.exe
4128	TieringEngineService.exe
1760	AgentService.exe
1592	vds.exe
3860	vssvc.exe
1304	wbengine.exe
5104	WmiApSrv.exe
2024	SearchIndexer.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\System32\vds.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\locator.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ada722eabb2d98fa.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\TabTip.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjavac.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\RCXB910.tmp	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File created	C:\Program Files\7-Zip\7zG.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjhat.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vuninstall.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\7-Zip\vUninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\vIntegratedOffice.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vextcheck.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File created	C:\Program Files\7-Zip\v7zFM.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\vnbexec.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\vLICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\vjabswitch.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vextcheck.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\vchrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\ieinstal.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vjjs.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\vjarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\ieinstal.exe.mui	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vjmap.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\vjdeps.ico	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\vcom.oracle.jmc.executable.win32.win32.x86_64_5.5.0	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\bfsvc.exe	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0807dfa0ee3d801	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015e406fc0ee3d801	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f29752fa0ee3d801	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fa853ffa0ee3d801	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f0c2afa0ee3d801	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee6305fb0ee3d801	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a0d49fa0ee3d801	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006eaf51fb0ee3d801	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
Token: SeAuditPrivilege	4224	fxssvc.exe
Token: SeRestorePrivilege	4128	TieringEngineService.exe
Token: SeManageVolumePrivilege	4128	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1760	AgentService.exe
Token: SeBackupPrivilege	3860	vssvc.exe
Token: SeRestorePrivilege	3860	vssvc.exe
Token: SeAuditPrivilege	3860	vssvc.exe
Token: SeBackupPrivilege	1304	wbengine.exe
Token: SeRestorePrivilege	1304	wbengine.exe
Token: SeSecurityPrivilege	1304	wbengine.exe
Token: 33	2024	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2024	SearchIndexer.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeDebugPrivilege	4084	alg.exe
Token: SeDebugPrivilege	4712	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 4440 wrote to memory of 2704	4440	fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe	111
PID 2024 wrote to memory of 1568	2024	SearchIndexer.exe	112
PID 2024 wrote to memory of 1568	2024	SearchIndexer.exe	112
PID 2024 wrote to memory of 396	2024	SearchIndexer.exe	114
PID 2024 wrote to memory of 396	2024	SearchIndexer.exe	114

C:\Users\Admin\AppData\Local\Temp\fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
"C:\Users\Admin\AppData\Local\Temp\fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Users\Admin\AppData\Local\Temp\fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe
  "C:\Users\Admin\AppData\Local\Temp\fc02485ea48324e9be4c09ff5d1c7f03a7a14da5a5a8a6a0e479d3e7991f4edd.exe"
  2⤵
  - Drops startup file
  - Drops autorun.inf file
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:2704

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3524

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:788

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:364

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1464

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2020

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3676

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3944

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4128

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1568
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
73ff206e75b7e7c002c4629761418f36

SHA1
14292a73b7d00a484ffd721bea9f5374c054c5f6

SHA256
b6d377741da0430727967bb6c33777fdfba2bfb22469c0e06f854f782043af8c

SHA512
7360a21b25b4a4a30f57dd7f337b65db5f3c31ace6c46e1da55a7cbe1ccafc67383bae2392f91fd6fda5016915f7c92da4a8ca01632eaecf836c8d1a2982d9f7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7fee95cd37db29de8612de6c3081d2dd

SHA1
dde9ebc28539ca58eba9244de443eb0fc36d61ed

SHA256
eb72336c43f417de691ee57c1c55c68d87f2159c50970a5022eb459468086a1c

SHA512
fcbaaa0fa82dbc545e0f265fcc704b2f8880c00566dcfee4cc16653cda8f93b79c47300578c1df3cf1c0506a1de592654f9ef99f6a8c01df81c654023dabe5c5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7fee95cd37db29de8612de6c3081d2dd

SHA1
dde9ebc28539ca58eba9244de443eb0fc36d61ed

SHA256
eb72336c43f417de691ee57c1c55c68d87f2159c50970a5022eb459468086a1c

SHA512
fcbaaa0fa82dbc545e0f265fcc704b2f8880c00566dcfee4cc16653cda8f93b79c47300578c1df3cf1c0506a1de592654f9ef99f6a8c01df81c654023dabe5c5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
c4a56b3645fa404f3439f79e8e5a4553

SHA1
f97b1673f235878b1d7fe4239b97457ec9367666

SHA256
c21725779bbd2680ec2c72f4aa0e5ec990d1d52d81c04623b1202ef2a25205ca

SHA512
65d490497c4fa7249d38351e479b4bcfc17aa8ccbbbeb69f02858b5b00280de245b695dae5ddc2ebdcf96cf1628d880d497dc9995644766211319bbc03db5b34

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
990cefd18257bed3490b2eb45b5f242d

SHA1
e8a98cc1e71adbc10610cecd67a3b231d26a2c4d

SHA256
f982398de318e82444a2fc0f6ee49305daf9a94f08aaa711801d59fc2016b9d8

SHA512
22ef4a287646c956efc63d37de57cb7d26ae55d238a2d4644eaeeecbc97749e13cf38f94a6badd430f06a9b50dd1c2c425c318466281c7355b879a37017342a1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
84b6ef786ab9d92c0530b6e5031dd70d

SHA1
1f1a906cce462a2a0d7d10c256de35eeb63ec04f

SHA256
4c151d490e152664b774f1fc3cf83ccfd62fdefa30ab80a7eea5988e961cc842

SHA512
b28c8729e9ba2bdc1c7762855a7b968110b8ad02bd958a870e551104aae6aad4257778c43ec394995321f1c7d0a51c2d0542ac180f40b1b544e5564d8f0d68d5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d01964bdde1dc41c7c9bbf44dc468ead

SHA1
227284f80ad0d8a3de234f1a136503ec43060e0c

SHA256
93fbeaffe12e0eb267b962be3a568745adf8c6620b9edbabe6fc97360cefd284

SHA512
d6b16284bd90e9630318819940dea1888d8e682a5e3b27cb69b44f1169d1644156b52da4378a0558ba858884f4776ac4400b09574a4fa939ba1af2bcc88f5f46

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
77b3c8f03ee36d692392df2b58caf4c3

SHA1
8f95f5d1e60358436a1895cb33e1623ddd2ebbaf

SHA256
3df742f5267f72ba1bf828bdf90605661b394842d5fd1dfcc8bb1bc8d2522018

SHA512
7da80b25c03b79b5f5e78c71f8a4287b4363808b3367b1842c112c6c3fc78c5aece427557e6a1a7adc322bafad7ec59f8d1d0e2139e529658caba8d1b6c036e6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3c1e73519a4bb4b2036e3457a2a384fb

SHA1
6d18820d77005ab7cf3b7b5c4e74fcdf77b844a6

SHA256
2cd44a7bf23d40ff14aa91fd7f0d42b8ba63ff0ff8a997ef5df3a7e3caade2a8

SHA512
9c89988ff23d075817245ca46ecd1b1ed80d3d93bdadbf54628894c0791b8a7759f5fb84dbc67eec866b6f10d7f74d959a7ac02c0c7f5c86479c7fca7344b181

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
716c5e6137d8fe9fb896a31976085acb

SHA1
d889f8762a4cae14535eefbd42fb4447b8025b60

SHA256
39ff3e6af39cfa3e34a040bafd60d47a1cc2adc0bcf9f27f457cceef1b035f0b

SHA512
2eeb5462e2ab1499a17dfe85dd85d9f54e66eb67de99726aad876ca67718f6119ef14ad6730ebe78df70f964bea84ba55749d5aa9d15d4acf41e76dc5fc5df74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0727c44912d90950f21ade4978f6ad05

SHA1
bef1490b91dfe4ef71417ddb160440a6988db2e0

SHA256
0fd781a717b68dae03adb6d8a29870dd33b28a3d48b6d35805ad8df629db1700

SHA512
0ad059a5ff5d80c0ba5f15496ec2cf12d301d88031cbd3d25d91a92d7fdf14f400af76b03700af6b79c62e4e60204d8d59f86a2f7741a050779bcda8fc92fadc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
78b7ef3ac56870b025a18e81ac5e891d

SHA1
803a371bfdf8967b73f8ed6647c4f503e0b67cb4

SHA256
335b4c8e5736eed68f08ac749110b66611c9ba62e5a66ff4344797ae12a0e485

SHA512
b13f79736b1f295f06e39ada4b3fdadf329129ba9afe33decd672a7e1891a8b75f75703dcd2b5b5e86bdb933f1cf949345c46e7c044a0f151a8d9e726472a2b7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0767d41e800c8fc4a7370f2456fbc2e7

SHA1
7ace26d3fb79ad33f8fdea770ef935d068276e03

SHA256
1ccb64cc87f80fdaee3af89504952b9a909ff915d3fff02804f790ea4d4a0235

SHA512
59282cc0c22ae6b1625bb6c1c0fbffe0263145320e0518be69cc7705997bef2036f07221cb087242d0444a7eb2863d188d5d8fd2938e87739aa0dd88ede9c2f8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
61bd0f24f72f311b57c1f3631e2fd3cd

SHA1
f65a57372d21698d84cac986dd216a224cef5088

SHA256
87672b9be7edf14bcea04f6c140d0d5355a9a46286dd336eae5e15b00c4fbff8

SHA512
ed7aca98a9d0c162b6785fea3837553e447d6baeb27dd7d5e155eb59f8937cafb77720f955f0ca4d93d8e1f32403e06d7b9204de50afe6c8a25ae6d887f55d2d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
7024194bcfbf23ee3939c7d1826bfae4

SHA1
a6f13a8fe054acf7d194a063ed4a2187a312f398

SHA256
d5b7b8c6a5319853a8c153852735d7998e220cbe72677a6d022a8e4a643ed564

SHA512
33c4842bd53fcb3814ba577a31225f4197a0347c1a88535cfa851cffb962b8e8c8cf690d33416875b057520e8e922c3d37fcd4f3870facc21924a1c4067338b8

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe

Filesize
3.3MB

MD5
df83ddf2fa6943e53fb6a51d0e9f0d25

SHA1
32e83ac8050d6f79ceeaa7e84165fc7f3ee8c367

SHA256
ad9788b4a029e539c761d39bba92cd9d70690e4f88f0e334df9a13c3af2939dc

SHA512
e0e273a436200a06a989462637d413c3916a820557bd282963393d6a929cd92e788f62869296e1be0385fda3218cf0e6f0fac5e2081e15d93ed9da8747800cac

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe

Filesize
3.3MB

MD5
1f11fa330c01587fdefc7556f295b14b

SHA1
8be1fa7f72469b3b6807cb0f2d5b67098bc795b7

SHA256
b2d4ca9fefb75b9cc30a2ac626400787b57f49abce6e60a8ee0646f8ff79030d

SHA512
620a62e60b27e0e4f6dec48da8ff2e665bf6895f96c507e01dac81947426c8b72f5a929162d161276d3aa62a47ddd8ed96d690e35677663ce076f75e0789d762

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f9929c75a15c47ed8431b3e31c2aff1e

SHA1
3d1338029276c4dbe99d859519fca5be63c2a8a9

SHA256
ac676a9410ebdb7aa89d1ecfc64f7bbf729939b29648d7d58d4aea53f8cd6158

SHA512
6e1e907b9e34f92a40d6bf1d3cb5675d6e79e314c4beb0110357b09f0572a7012f33dffa411d8521f5205351dc6945d61ffe17da53fff28d6fdef9daa953be0a

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe

Filesize
2.0MB

MD5
4ab7cd5131f49affd4e5e4ca57b125fa

SHA1
b3e7f8d7fc65ac0787c5d455402b97cfcf340754

SHA256
5bf0c7eb2b52ef93fea81f092b095541815a1dde8c4d35cf7b48f2025537c2ed

SHA512
85e96772e8dd9a0e61189c229b69f3e38bb93f3067e71f0a7fd512a1e38057a8a1a884c1c99d187ea5b2b210216ba910a0b82791e37f04c7c6caf6ea78f0cbb9

Download Submit
C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe

Filesize
1.6MB

MD5
bc54fa9dba29f6f19014ae65e5eb052c

SHA1
94a3f2a6327dde486fba5380f40c738f06b2a5a1

SHA256
8572ef06c555bd30601882fc6295fb8a92c6610acc6fc00e5f211c371791eadb

SHA512
0b70e50fe6e89dbbb1f483e8faa310f07c7aeec25d45e6fcd135801de4c431ff394212e60200df93d4b0e67db6f70ec715502bdd9c1de97fb6fb219f592a528a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.4MB

MD5
1dd16928c9b6250136b76eb0bd638083

SHA1
2dad3b204c184ba4c674d5cebc3465e3025dc03d

SHA256
5f80f393aff09f41d7d3ea6fa9199f01f9acd42ae66f80e95b47f9f948ba4d46

SHA512
12679249ba7aaa49bc438ecf261c9e644c904ab37c32f371f71059c091c23b1cb2f5dc6c78aea3b4985644f1e3ea681f0ccb177e3961f031d401335cb9879251

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
eb27aad40905772dad0bacb88ad8db61

SHA1
874de1d444b075998bf2f7d3dbe81dda2d86d2fe

SHA256
4afc9a0ae7480378a716afc558b9043b42fc2d7a0f86ea2b90f2a5d8691b58d6

SHA512
f8a78998ab37cd0d7ba92a1ab1269a33c3d573e1bf344bd9d91b52b71223088986d3d7df3426b535a2329c3f3280189df5704ec0eddc1109a6853fa30ddfc8ff

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
edfe1a501b29d5389748cffaf708cc9a

SHA1
6a80d3c8eb860d3695f901ba010b3dbe592a1bfa

SHA256
6a45881fbb89e1cf3fea410343109c9f4e448d1f3c558400c486ce7e51d13505

SHA512
1bf2e045e5233326b1a49a9cec4bd3a806dacb1524e5cdbce7224b82480802ee77c3ceff2b6296e39b6ca70453f59a4aceaa0adf41eb7f08d52133ceb9ac39e6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
87ec0ce3fa025c8e29a2bf5dd07c69f5

SHA1
41aa8df0006f5cf617bca64e4f79567e954212d3

SHA256
599f1d05c0f510bcbb9b28fb4d313016b152f64486cdb527bcff8f9e80f5dc55

SHA512
c1f84a8e2bc679e383217f696bf7863fd2f05f24b993886e9d112adafd85e3a72c9a459fbf40f42957357f947397b4ff8d8e5a8892efda1f4c60cb2022f41e24

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.2MB

MD5
705fcad2d3b91627de177296e573c212

SHA1
301e3bc68ad32e976566fb066647de5ab841b899

SHA256
f9f312fb004375b6cb13d801bbb265c2d9f3b7b0722eb958e3033fae039e0df2

SHA512
7634a1c0e827350fc6a128a97f682a3a3d49611a33f0b09a315fc12539eba90edd5a4a6175813dd743ec6e04c875c535947823c54933638ff4c22b82e8e6788f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
8fa1b8e9dd67088226e9ba37046d5311

SHA1
bb88d8fff639f0ac98bd7761d5d2fdcc1d3d6a58

SHA256
679434dec6f6a749a6420aa02a687fe5ce2b8c79d3f3cd01c4275392da21da12

SHA512
1f83ce195da0d613c0c60f62cdb4041d73cf8190d20fa9f05fae5a26eb70284d19c24d27d5d655412b5b2441858309b447abff2ccf76bf5ce3cc03966f456e11

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
4bd38a87a07585d5d678f2b2b9858ec6

SHA1
d00adacde9608dec8c87461faa297126ce41d1ea

SHA256
01e39c7d85d7e5fb34fee87a9d15e1f70518516f2c24fb77a1df3d34e070444f

SHA512
eb549fb30ad8aff839d9c057e3c0ea862320132d2dc6e8229c9df8ece62994bbd06a457c31287ddda7751cc561a8bcdb3790def4e0bd0f4480cb346929021cbb

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
6dba13e72f071d80e041b401b744f9da

SHA1
9ccc675c138282994867f7bc2a46195ce9bfefdf

SHA256
e4023645b5ab2ed154dd60311a08aeedee565814bd7045018715dd0b91f2be68

SHA512
d7c6ef629d8f34682192644d778d25f5d95c92cc923e6662a13912d44af461a7ba2e8d78881a7a967c2ea7f2a403bae3e344980eacea2b2343a0c02a2235b342

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
3d39b35dd15667ce9cea62b73b9e1e25

SHA1
6f26cf743f5f8cf899cc9ad41ba428a9e6e4948d

SHA256
b731d134a75fb9695d9e9784f6c150a36ed0f30d5e2b68014575f5db056b7055

SHA512
d0d08a29ce5a4256b58a1a20f8110ef5728ce9335e0b272e56a5ebcce362755bc87e5a67eb5c8533d8ba4f7c522e2881332d690902b3c7ab07090f3e5b0849b3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
e05638e6cd0f94926b12383f7654b19a

SHA1
fa7a8c880659343fb0277346c29de8580c9e2d28

SHA256
507c9291150d9085b025cbcdaa1944992de968f35bd36c2f3e388c1c2720db11

SHA512
e8c8a327131ec451b8053d5d528c9ac47456b6df95c74a7220237a3bd5a7b2bbc1a12fa543f786bc3e92d1a782bf2ec973a093510f7b2517b07552abb2bd6ac4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
39048c9b88d9132863aec25505ab3c84

SHA1
e5e570037a2ec93902a6d6be5ed6f658bb86e882

SHA256
18c09b671e57f965c7cd49947568c1ff3084a87c37f35b557223fe86026a927b

SHA512
9f5f2332f86f19367ea30c45f82edbfbccc22831146370b58a605fddf75aab82a48adb40a6c0e7e4ac86793371254ffba7b3d1607d55c9764e9a138869b0bb14

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
2be14bd922b6b340c506dd26d0298d75

SHA1
a4f13d569fe7f55aa386e2d155ee6929e24669ef

SHA256
4c270b7060376ea3a32b0f43c83cc397024e1f33f5ee8480fb8bc4b43277c121

SHA512
c3f4e0d64139334a048607c7b87da76ebb6e8ddfd66d35af5e2c78c97ccfaad0675c634ca6380dc138135d79ed274a176fbf90e372fa70336a5fb6b15e836cc8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
1f1031c377db667bd643fbe7a6d7bee8

SHA1
a5c6bf8be5df06e779a8cbc9fa8de28e372de9a0

SHA256
35debe4dc2a670526541cc6c2283eb2a16add0ee7c2d780f171a514a61155b7a

SHA512
519a4d04a27eb33c4cfc29336b87e124acd07f5920c7020010a80629efc98b74dcc357d37a6107c3c5ebdaebfc4f263b85906cda7180f165d3e7190f8d04e3d4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
32965fc98bc978b0f0ab76861892e66a

SHA1
28dcac8017b3aae4aaf00149af956a2b3b6a4067

SHA256
7b983f14f7106c5f020d178a2922ffbba708bfd9bed6b5eb65f126b5ec27f8e6

SHA512
c944b07c2db3945408a8fbdfd7dff3766b772ffea8f0437f764e8ac8409b83435089584fdcd60323472873eaa37f653aad55c6287a0e327d2346ae36758e486c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
d2af948b97c99cb5b1fc691d421b35ca

SHA1
1874d8c45443d0710eb6a94a95f44df124e427c3

SHA256
296807c3a71d6cffdb3cc0c1f1effe0d7e9b7eb4d3ca7d2c0c96534359a5511b

SHA512
d4b79df6d2045326f58ba2d6b0ea9a657dbae41472271c359ab238e9351e3c6aad122fe4f2c9773e783f0e6ca352a2b066ddb21a117d2c224855e359a6b3bbc7

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
7421d87bcc2934af4c4f6fb85f9c6e26

SHA1
04bda2f0da55b2657244264fb7f6360749bbe7f9

SHA256
45da9a5916ee9f205ad710e3549ea23f7301b3406fc864cac0e492827ce67321

SHA512
506428be352b62a168f10a87179e0b6c29958c1920d0a592330a99dc149a003d2e41a2c26cad48204839f985ffb05fdefa64ec6ec17c5d12be8642833d1f3daa

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
a74a31d4894411b99fb844a0de055b6a

SHA1
6d8a9f206f11faf6bfa02afacf7e6fdf68ee9d98

SHA256
2c633f1a169e9a191f517b82cca662c429629e23369d5fbb9aa40d0639cfeb99

SHA512
b3825a52b7d4536e8ba981321df09e1f1b644729fcf316d47f44abecce42f79aadf9c19ea822bd68af92ac006bc90233fe6d0c57f6e2e5c91c9a88bd771f01c2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe

Filesize
1.2MB

MD5
baa2fb3a0d28a146d50dae5e1736e39b

SHA1
950857ee18e7a42f567d7ccb12436007e126ac6e

SHA256
ccfd45e44316331c612e678a60f60ccbbba71fe1a47bf9c8adc2b447d46e74f7

SHA512
c3629cc802f84411380026e63878ca41c27506eb7576ab80dfa51b0c232338c7a09739397e443eaccebcac656e57963e4dbfd3a0aa3daea55a52feb1847b6272

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
53e4b419662b11925655eb458d57e1c3

SHA1
acbb6726bc5cca22b56b2512109d313d09a18d49

SHA256
ddb705e69c0ae81aecb2cf4645654d7d782976030f2209df059d2f99bc1be6be

SHA512
d447c4b9e356d05189d87273fb83831b46f7b50efe02d422aa4c9d6385df37795434c9e4ea1332c14e07525cc357c821c0a46adf9d475d8d91a7d7d24bd12786

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
632690d6c0c192f10c411ce312240235

SHA1
6107e7aff22a5ef62ced9020a3d5ed18eb434ce9

SHA256
b1f59c56395d20c61176232ab86194534089d5e246f42eb10af06be0c82c36cb

SHA512
b11cd256d640524fea826de946816621a9a3ca7983fe47177e1fba5e599a7c65f8dfa43bb5c8b30383e6079f9a528478cce9e1d87603251ce1909829baa68de6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a4f10fa846a49a5c2712ac5bce5cb00d

SHA1
536f246297c27f779a8fd30e3d4702077440294d

SHA256
fbc6bf926ac325ecff44ab1378b41f39a6ee204bf5478d103cb2fdda90d76eae

SHA512
1758260a17f1820eb393ed2ae80644e4bec3f38162e186b3a346db997cf81fe97f1ccc8de5f327dc1fd537c3973802916bfd63ab30c4ad0782ca54bde4e3d8b3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
67ffb14fe38b1c38b7ae5cf7f6e807be

SHA1
5d0d5d768bbd0118384089ffac79b7ec67f645dd

SHA256
f99b79ddb3f766291abad0283850c5a75f431ef51ba0bcf05197b5b3c3d52d12

SHA512
b34d21f3da0a30da13702d99464d4a3c4e7e6fbed547abb358d1ed8dbdab2bc9ee54c579ffc6fa241da4387833e980e01de8d61dc194a3a2c1934937c5a06590

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
78313d888139b26a3f7c9481d9ddc15f

SHA1
205196b47976a425ad04a545787884f819615ae1

SHA256
31ee39958fb49e6c704b62efc96396c5e3bfa97066bee32888e85b08d1cf59fa

SHA512
f946a78fd26f1771c24a6ade54a1fd32fbf7943abaeee140e76d68b60d3185a6a3fead0652e648fba5846c58843c41456742bee9173c9989790374e5b803c742

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c045a3f73fa3a3c2981b869f7ac25ab9

SHA1
9945331c02ffff6df5863bd7d77e69fff9babd22

SHA256
6ae840fb458cc660bb56b70b5938b3e480c5c26ce8616f1b609ce62cfd9969d3

SHA512
4ccb09f637722f5c4f489f5add090ba9a00853585e8ec57a353b45e24b5ae943bd7a5dd2e5e8569f0afa882a77b7dbc01ee41fc358f70026f1fce58ba257b22a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c2be072994d9dcde2498502999dcc3a0

SHA1
07897ed247a1ea77a4f0ffbb13fc26c994f4da6d

SHA256
027604a244ab4f7674eaafcc62d64344548303ee71a96949233be9b62b1aca03

SHA512
fae014f243b851979eb33796a82d99cbc4f581bfa3a57eaf9a2e27478e26b801849261afcbdc7f234926332c5f72cc51ddf25cc4e4c397a59f77543a1a5a0e5e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
c2be072994d9dcde2498502999dcc3a0

SHA1
07897ed247a1ea77a4f0ffbb13fc26c994f4da6d

SHA256
027604a244ab4f7674eaafcc62d64344548303ee71a96949233be9b62b1aca03

SHA512
fae014f243b851979eb33796a82d99cbc4f581bfa3a57eaf9a2e27478e26b801849261afcbdc7f234926332c5f72cc51ddf25cc4e4c397a59f77543a1a5a0e5e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4474c51760acfa13c4aea53ae5a64b1c

SHA1
fae883743d98c64001e2641adebc7eb7586191ba

SHA256
640d63868fab65d1279c3a4e93937e9f3b5f0dc8b3647632dcc7b1eff102b225

SHA512
0c211cbef8764c919df04b46bb9131ca6826c07342a06be9644345c750e4eb69eaa8eb1cb91b9a285fe954690fcf55a15ddeb016fe0e69f957801f073c69e92e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
033982a42fc910902996e9386e85efeb

SHA1
8ff25bbc40a78908dbd95c31e2e8aa3ce9ddc3f7

SHA256
9c7ac52ec3f5cb146a91e248b6f479fbe07bcb2c79baa83d47babb1bcb7a7a0a

SHA512
9205cae8c71ecda47c4aa698786ad9eccd27da4ae148015cb4edae48852d02383fe203009388e125f52c12f9e9a4e15f8658078b275834e3ff09b8f31f632b5d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fac085294c1616c58f6e8f30572a4690

SHA1
aafef02e3492f3858f668915f2317f6f18876b0a

SHA256
2f5c702c748e3b08948ed263eb7f10967dd93051c3d99f12e8e4aacf53cba3ac

SHA512
e41872d9785ea5b2ed3d35550201206cdab3bf4dbea0b0fe03a1e35d795034cea4231d39cd376a0b65b0473f02159ab7f43b1e277e85d90c0b083b65c24d4c02

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
29e2acd822dd9eeec8882bc80a89f160

SHA1
84a94274265601739a0be4d63ed864c78696d05e

SHA256
bc11bd1373ae83a09656b6e83b6e7b7e3762c1e40f5687303f7a7c259a96e8c1

SHA512
a6bad7b2290275a8cccd6a4f80e752a06c23b4cad7077d43bd9ec8ffbf7dc40684d68d2bb3cf596d1d56dc8065a9dbaf02130fadd3b4d8e7ac77deb6a66c5053

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
14aaaadb256bf3bde3f20e2a07e0b270

SHA1
1259b864d49e2f570ebc2e55f3b190d4f786f17f

SHA256
c5c31bf973144548b61638c93bccdadc9e8c75a87c01c702287f4142832e2873

SHA512
3f7ebc459a0e2f6f82507a34fc9a05c5cfb567fe7969a6fbeca0b4c0a0c19db1478fec165f67f73a994ec2a8cedba2e31211f14e4210437e0262cb2fde7df45e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
91e93f734074de277c86e0d4ea861721

SHA1
be4b052328ced0f0fddb579f451f13d4251e9f55

SHA256
518b6d50ee2962f9bdb171f3fe70b23b43783066475768ca6fe6a50417c0a0c7

SHA512
e2ee44df9d23033bd8fa5c236a1556dfef466b44557541aea4bb9b6cb5d4c69732187870bf6d349368ab65cb05c5f0b8ff6ee2676688407c743a65184a65837b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2094d53dc81ed88aeec6ffd7d760ee15

SHA1
bfafc9dda72e120b6e9df9b9dc38c246f66cf0b6

SHA256
22da854efad7b58ffd8d7edfb2b7cf07ee5fc5f0e79b7cd0d581d4c50fc5c7a5

SHA512
563f0666c2977d58cd12e18d62b52472173916ce6c2577a1cc37dd6b6c93e465a788c4fd2c2831a03c67a5f17c841598293a5dec0be8cc23346a1f3e83286902

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f1bbc7f14ca5a623c7fd4da1ce56fdd4

SHA1
87c1aeacb6bde50bafa5ab93bef01193083a92a8

SHA256
17db23ea14f6578aebb5edb1a91a149536729bbae08606a89eda5f3d85d203c4

SHA512
63713de51c9987a816bd609a8aee284238f0f23547abec8f68e22a261a31de3b54db1fb8b0224dfcadc1000a652127e24694dbaa4850f64d9d68f2a839d3536c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
851bfa40420d31fae3fed1b6e5f0623b

SHA1
3d590d4283ee00c65342e0a026107a27ea9b6a5a

SHA256
3ee2702f6cf09ab6448374c8420e3c4686d6f168a72dee3983b4ec9bb11ce6da

SHA512
680e8d87bb6460c97b356db1eb970fabbf3c1c49421c9ed4fd03581731899479a4ca744d61f2af98ba1ce34a8ef422bd8ed3d853195ee7851ad9416a2fff13bd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a75d237a1966a39060194ea21d775713

SHA1
bea78eca9385be950adbed6eaed2db9d37d5ec48

SHA256
55f925eda24fd11ec6f6747bc473d68b5cfc7fe48d550dc777599c1bcc7e63a8

SHA512
c1c6239b076468ca030cd1881bc56f431b4a7e118479ca2d5ad32be07d486ae428272b5053284902306ad2a0a60597751722a99c781433abbc40d2fd1dd2f29b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4e457bd3d739c39a043bbc1aa3eb11d7

SHA1
fd7b077b6e7bd3237d7698a8ae6017de9f0f2e6c

SHA256
658b1b4dab90cc98c64d68e93f15ec68b9e3592f4b89b7c96865e564c7a9a063

SHA512
7623c36d5b0f6c9bc20c0b98743bf0834dd9b07e7a9f8e3e0ceb35f2a42ad4d209eb9d35d14842630addac9fa1cadf18288b331b7d03b28d4b18d007b5c7a826

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35ddfe1d8df5360a69fffd26c8fc0e56

SHA1
b145dbbc59bcac325fd09cda06be9763c42afc1a

SHA256
353f97761c5780dc46795d98e7b1c40d33fbc1dcca46d0ccd6d85285c2f6efd5

SHA512
d96ac7f4d66a89a2ff3bdf1a9398e452efb68c50812d2f5e7710eb3b40096d32c619ead8ada9766fd900166d4accbdd0ccc1ef2cd682ea670fe4af8d309b2364

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
a4f10fa846a49a5c2712ac5bce5cb00d

SHA1
536f246297c27f779a8fd30e3d4702077440294d

SHA256
fbc6bf926ac325ecff44ab1378b41f39a6ee204bf5478d103cb2fdda90d76eae

SHA512
1758260a17f1820eb393ed2ae80644e4bec3f38162e186b3a346db997cf81fe97f1ccc8de5f327dc1fd537c3973802916bfd63ab30c4ad0782ca54bde4e3d8b3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e324333870b7b24411918db6350660c9

SHA1
512f31ac614107a41b0c8508a40290b7dbe1de2b

SHA256
acde9ccc6cd6cf64259bd403f9fe893f43de88bc4cf80a574a96fbf99bde2fb7

SHA512
959a48f58d7bd640da116dabae0f77de59b478014d0265706fb64d3527f15ed868f55f443e1115b192d7bb20e38cf35b374fa797b011aff550777418c101eb0f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
a202e805edbb5b12ae0d4b4371cf3a3e

SHA1
83765f3970ceff79f3647ca68a23198de086e218

SHA256
bf940f1ce5ee14c45d96a9cf266ced454fa2eab825f9675e575d886b9f36ffcf

SHA512
451e43e042e979ba331922263cb4c5e03cc92f90aab9ee9e8584d05de46305d9864376779fc96c982fa93d663b87d1f51ffe74f0099d95e479d5a4370f0bbae5

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
78313d888139b26a3f7c9481d9ddc15f

SHA1
205196b47976a425ad04a545787884f819615ae1

SHA256
31ee39958fb49e6c704b62efc96396c5e3bfa97066bee32888e85b08d1cf59fa

SHA512
f946a78fd26f1771c24a6ade54a1fd32fbf7943abaeee140e76d68b60d3185a6a3fead0652e648fba5846c58843c41456742bee9173c9989790374e5b803c742

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
9da7d7c46e89c6d8d73de5a6e3331c7c

SHA1
50aa8cc0b312c5a1e62af233b3baafaab1ced7c3

SHA256
0d2da7c065b9c33fbd85ac7b734f8436b71501e47e42ca935a71aa528d7eec06

SHA512
233fffb746ed9384b79e4415f03e788a18c4ae553058160aff81b9b1272f4fbd7b453f46e4222b18deb2585585ad939c316a82e4dd9e1969d306edded6c4f839

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
f6674d0bf211ec507ec301287c5fa0cb

SHA1
a0de2c4bf30923420cd5a564805bf6a020222d27

SHA256
111ebc377ae6b732460d03b4ce7aa7444979c762b612bd892c3d430059fa5eab

SHA512
0d241d17f6d86ddf6f1163af011e43575212b75871e1a897f494f2b5f99ab91764b70cc1c342d0f493810462c20254c25c75b210855b17e924bda74d0f69a181

Download Submit
memory/212-219-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/212-220-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/212-206-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/364-187-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/364-195-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/364-194-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/396-399-0x000001D883DB0000-0x000001D883DC0000-memory.dmp

Filesize
64KB

Download
memory/396-400-0x000001D883DC0000-0x000001D883DD0000-memory.dmp

Filesize
64KB

Download
memory/396-415-0x000001D883DB0000-0x000001D883DC0000-memory.dmp

Filesize
64KB

Download
memory/396-416-0x000001D883DD0000-0x000001D883DE0000-memory.dmp

Filesize
64KB

Download
memory/456-258-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/456-257-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/788-177-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/788-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/788-188-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/788-361-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/912-363-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/912-184-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/912-170-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/912-183-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1304-321-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1304-323-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1464-204-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1464-203-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1464-197-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1592-297-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1592-298-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/1592-393-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1760-287-0x0000000000B20000-0x0000000000B80000-memory.dmp

Filesize
384KB

Download
memory/1760-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1888-233-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2020-239-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2020-364-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2020-256-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2020-365-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2024-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2024-339-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2024-395-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2704-360-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2704-396-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/3272-277-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3272-275-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3676-260-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/3676-391-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3676-259-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3860-317-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3860-320-0x0000000000590000-0x00000000005F0000-memory.dmp

Filesize
384KB

Download
memory/4084-142-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4084-156-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4084-158-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4128-295-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4128-392-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4128-278-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4224-157-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4224-167-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4224-164-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4224-169-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4440-345-0x0000000004D80000-0x0000000004D95000-memory.dmp

Filesize
84KB

Download
memory/4440-137-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/4440-132-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/4440-335-0x0000000000400000-0x0000000000615000-memory.dmp

Filesize
2.1MB

Download
memory/4440-296-0x0000000004D80000-0x0000000004D95000-memory.dmp

Filesize
84KB

Download
memory/4440-139-0x00000000023F0000-0x0000000002457000-memory.dmp

Filesize
412KB

Download
memory/4564-213-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/4564-221-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4564-222-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/4712-149-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/4712-160-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4712-162-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/4900-235-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4900-238-0x0000000000480000-0x00000000004E0000-memory.dmp

Filesize
384KB

Download
memory/5104-336-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5104-394-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5104-324-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download