3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2024, 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
Size

1.8MB
MD5

03b5f95d0a8792cdb63781aed6c9e521
SHA1

c25073e239c1920e8ec8f9096ff63927cafdc207
SHA256

3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b
SHA512

bbea5d464e92f30a9f273ff2d0eda7a6ff39aa5b070c7af8926bb5786270c9b76676b3def4708063d19450fb61600c7849332d088303e04dde0e91c045f20a30
SSDEEP

49152:Ix5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAxkQ/qoLEw:IvbjVkjjCAzJCqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
2888	alg.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
2784	fxssvc.exe
620	elevation_service.exe
4940	elevation_service.exe
232	maintenanceservice.exe
2932	msdtc.exe
3760	OSE.EXE
3696	PerceptionSimulationService.exe
3500	perfhost.exe
3360	locator.exe
1484	SensorDataService.exe
1896	snmptrap.exe
3340	spectrum.exe
1472	ssh-agent.exe
1520	TieringEngineService.exe
4476	AgentService.exe
4152	vssvc.exe
2980	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\System32\vds.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\509ee5ce293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\locator.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\GoogleCrashHandler.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\psuser.dll	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\goopdateres_te.dll	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\goopdateres_no.dll	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\goopdateres_it.dll	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\goopdateres_ru.dll	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\goopdateres_hu.dll	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\goopdateres_bn.dll	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\GoogleUpdate.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaws.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM66C8.tmp\goopdateres_ja.dll	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eceba3a374cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000653488a274cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021bcb0a274cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e5b8fa274cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b24ae4a374cada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000857950a374cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ae09ba474cada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9f913a474cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000930098a374cada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe
4832	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	376	3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
Token: SeAuditPrivilege	2784	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	4476	AgentService.exe
Token: SeBackupPrivilege	4236	wbengine.exe
Token: SeRestorePrivilege	4236	wbengine.exe
Token: SeSecurityPrivilege	4236	wbengine.exe
Token: SeBackupPrivilege	4152	vssvc.exe
Token: SeRestorePrivilege	4152	vssvc.exe
Token: SeAuditPrivilege	4152	vssvc.exe
Token: 33	2980	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2980	SearchIndexer.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	4832	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 4436	2980	SearchIndexer.exe	107
PID 2980 wrote to memory of 4436	2980	SearchIndexer.exe	107
PID 2980 wrote to memory of 1452	2980	SearchIndexer.exe	108
PID 2980 wrote to memory of 1452	2980	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe
"C:\Users\Admin\AppData\Local\Temp\3bc8c8b9414b6cd4a2ec00c6a0d4d22584d26fa7fa95e75029b479bee5aed32b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:620

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4940

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:232

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2932

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1896

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3340

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3464

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1520

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:4500

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4436
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a1e23958962157812ebc49ba152ddaaf

SHA1
c036018b0d542b2bfae995df81b925828bfbeea0

SHA256
a5624efa3a259db95b22fb5d2b7958b158fd4203161e1e490846c49841df6344

SHA512
c0135a73edb2525b8a6bd63211a1d3601002495194b1836af34ff1ecc48310b7b25f68b8d75d664128df334d05c5f17b9c68b80b1c69526416f1c45a0d7f0aeb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
fd0fc9bd4e6a8bbc2270f39c80b39e59

SHA1
600546f6730dd5acc007b291bd991bb886281ea6

SHA256
a63d7567b3fb9b68a971af235b852612a46e9c735f4a3de924f07cdb9817b3c5

SHA512
51de753af0c694d4b11019a09718996e5b3ab9744eaba39431e88dc56f6637a8778e5bc28a6f208621e79865fb8dc58a53e5c85c818725f9e7aaa4a6c4aabde5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0ba2e19ed5ebc03aa5f15d22f58d0818

SHA1
65c6e629c9c216630fd1a6142aac5ddd92ee5b1d

SHA256
b8a4108702aa44c986b9fa4f8095eb7d533f27f1bfd880eab9a687b2757be2f1

SHA512
6a56da6baeebfccd858efd43ff8430a37469d97c35e5cdbdded271a4324c29a7f733364be4ca306d10c9f9a0376d95611facb273864daf0f56a9ef448fa635c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4e3a191fd97e4a2b463512b7a135d0b4

SHA1
c090c25be8b0600dbb45015371f80db05d54ba91

SHA256
a2bbc9d823db61e6ccc256c78444c34cc6924652c65a4c87f618505f48cf21cb

SHA512
ad4b79726f025c475601b07de28d9b2e37a7ac4f864dd935eb94c0e0ea8980e54d7787e164925d0048d7e9a9ba9bdf832aa12a8807a4f8a9707a87540e67a15d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c347784ff1adca03f103220179382334

SHA1
d94135dd42be5d313fae8be4e782c6e905b9d19f

SHA256
6055b13beb25075828ea9185dfdba0528a6f4b25fefe89ceb583bf67a4ac64fe

SHA512
2ec909e2bc57a6377e043150f31eb2816fa4f5cd1b2cfce399d5d122748f23b3be4b616936e7f331a9168432024f9bd6497184fd319b2df2594e6271135433fd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
fe9818c1d82241f8517b6d694c292f59

SHA1
cc6538425fce8541694b8d6ef25f486d88859062

SHA256
db600dad782b104c587351061b44254d9b5fb3723e29dd45387c5c627a8faf62

SHA512
110a26dc1880aed586e66f2301398582a671707ca002627c5fb1166837058776f67c636eea681e0ac9dd3fb6658794759e0929f7d205d94f4aad8b3abbca6626

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fd4c39902d9a51b221199e7bd1598ba8

SHA1
6ddf9400bad7fc693f73c5ea6433291121463541

SHA256
f199035c5d0ec8c7c852060606a5d4e6d4949b3d01118afb1368691e4005e1a5

SHA512
1e6b0ff4a14529a064f3659999a87be5be1c9bfdef35553100b47be3b5cc2d40af49cc40edc9d0ce181d62ace5823e8fe2131261eb4a1032962fdfa2acefaf36

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
62a17c8065cba86c7fc750b94dd6cc70

SHA1
2a5b925156bd78cfd59e932e35a4a30ad1b10338

SHA256
db5d7ee1479b79c27df00698b26af4093e1f9020eadf0eb381c1a57e00c26f19

SHA512
4b1dc313a8dd2a0a6d4ef53ea79b90f4367a55dd6465558b83c02ed05bf14807043a41bf6f336df7fae7d6caa108d68f9e0d88874dbb38522cccc138efdc5479

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7e75171438955e0df3a1ce8a0daa73cb

SHA1
ce3cdaa4078cb6b61f8945d2124956c773ca43a6

SHA256
ab67d39bdfacc5048f60b0ed02bce82640f4ad75b65e8918dd318a795419932c

SHA512
83d4f47a865de0bbf962c58b50df0aa36b2d471bda722a7f953b5ce8dd3600ba7853fb6ab7e0791d74b8dccaa7bb172decc22975833b520266ef4ee3d72a712d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
4f432da72231b6888890d93a2afb4af7

SHA1
6461f6ff675e97fcb3fa739623dfafb40b3ccc73

SHA256
a5ea11e5e24f5a4018a13a51c1bcc11b705193fb54a7ba26f2552e7364875bf9

SHA512
238b7c6e767f320ee197562bd005b3b4bf0f5763b77a3a6cd6498930579f742812e59a0fea72c4b90983e95180ca8d51f00e48c2f19c9d6c430c408f67d15823

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
bc07544831a2950698bec8fd04ddc9e2

SHA1
5f476427382a214c8b7456a29a10585076141d48

SHA256
56cd1c6162b8b8727c7ce42357b505f4e816ced32fe35f31830a0fa95f3f3dbb

SHA512
43f09893a88f51187681a2dd3f648226fe84ccb64c8f6baec4a07e1149e80f9f90885bfd0447975d52850ba81623f6cec79551da1c7b9aa66fdcc208fd4085a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b7fc10eaa70dc9357b3591bec41bf3ca

SHA1
568c33cfc35ca61eb45b6d794f03cf0c3a12ac44

SHA256
a4e898617537396d1822e23b052cd6420d98817b800e4da176b727568ced362d

SHA512
76dd184402ffcf96a45472e821391fca8c0521f3fc683f51bea1185f426f93dda1a711e7835e9ea885cc32688d3a65cec625a77efabf68bbc95a044bf157f8b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6a5c1a308636341ebb680b516d66fedf

SHA1
a8dfa2de6aa1cbd7f0e8fc73b14bd2c48502046c

SHA256
50193760a52ba92d731c19fbf34b4b021e0c7d37695d013ca7615bbbe98f9083

SHA512
1994914cac3d402a724e63e4ff4ead813374b5531661f96cc076bbdf203f1080f558ea9ebd90d43a365dce5a555385bb4220f6d7d5d6b51e72ffc4f37b82412e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b4e1a7a584dbaf24a5cee06f1783f50c

SHA1
563a27cced3a145c4191a3261a942ec7c8d30579

SHA256
2172b4e2218ada8833fce494e214131f4659ecc54f68f93f2b827df47e53bd07

SHA512
a0d32b3eaac1fb2dc4e6e937f75acb86ab5f2dd6bdc3b9e0c33b9661edb74b42ee850154626d49c90f2f4a8617dc31ef6218d7031716eb2004a77f02cae56203

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f6e0a9ec0021518f8aff0b2015bf05cb

SHA1
9729089041d0f7df8aada986e35f6593d38ef115

SHA256
66c72526c6218ba649eca9c76ee758235b8b1da6632718b50848d89fda2217ea

SHA512
1d47d65bab5c4117863d7dc91eae1ae145f663e77b28e7b5afb492b83313e79951714900ced5b4f46aa7be64a1e540e11e954319b4e34188eea0650ad1656747

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
581KB

MD5
7c7076c0f1b001ded5ff6ec7c22d9ef1

SHA1
c0baee509db27ee0739aa53259f8fff4933ff035

SHA256
246fb07b7e426113771e15db4561902f284552bb0e35751fc55c1e6e612203df

SHA512
3a1c0d00bb35038de9c379988a8651c7b5063204747ab244ebfdd6dde645e3fadf7b59644f131bc936d80c46345f169515ddeb6cbb67ff7d01adbee0538d7aa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
581KB

MD5
3b4ff234dd27fc0eb9abd6bebd7da595

SHA1
700cc82d4b7c15a67bafde869600357b6b5dbe9e

SHA256
7a0a9a838e9229e4eeacc6ca98ea2d65b92b9b09945189852c7ba28f5d202df1

SHA512
71b53a96b1698c25360db7136a574b42f23d43976d6106fb74cc05eb4b467f42ff13e447caf440c8431309e19d25d5d6f7acb3b87c92badf1d218700613a56d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
581KB

MD5
6ebee1e9e3adf25e6c3bb6634deb78fc

SHA1
7eb87535b4ee6df6775d20fa1718e6bcded5d8b5

SHA256
c5acd4fef1a9cde64b84c4c22861d94a9d68aaf828b650d463834cf7a2436787

SHA512
7d11207efb3027805752e8e938c5815c135a194c7996bec98e5b8d0f82c51fbe0a0b334710c6f62b80b94067ed8859a56cc13cc0245fcd24cca07f206bf99f0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
581KB

MD5
f57a29769b57cfb095f745c44eb3a595

SHA1
a7559da618d9051aad40750f7d924ee58320bfd7

SHA256
409fead5be718db405fd130a62ed7d0ba4256c078f97e6831356f4390b06942c

SHA512
f32ed9ac89d2ffeff94b7eb470c63f520f3de9d123e6e4ccffdeaa753c55ca5166cfdbb6e3db1b8805412b7922261928ccc25fac5c1501feb619c715269f107f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstat.exe

Filesize
581KB

MD5
6d1ae20c307182d7e1c5b07fcb603479

SHA1
91df0db82e87334ae3dd98b4593c5546cdfc0787

SHA256
b6d9f03be5bc9b99faaa1b5fadf8d1ffa8f7c4e85ccbff0fe06d56b92211b35e

SHA512
a6e2783f315b8cadb2d78c0c9b3d4c3e36c19f41d2f859388542ac5c56e46f6a76681e7596391492d40a51e876ccb4708f3e4c55587e577e67b540f0058f30c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

Filesize
581KB

MD5
db4adcf9e2f0a43d80f0f79e34c7da3e

SHA1
a307b6bb5baa37ceffc56ed41f307b6b38f1a76d

SHA256
da0de02386dc34d61837508d08e330cebed601707cb8cd66cd28e46a6910d84f

SHA512
e0aa38088885b5800e0462410023aac8b5fb2891ca9f1aa3ffc8a52972f6fc1a6e3fffacb7d8df804c9b85357939263b99c75b438029d05479eaaab2e5997070

Download Submit
C:\Program Files\Java\jdk-1.8\bin\klist.exe

Filesize
581KB

MD5
ba9587b9104197acfab76466a85276a9

SHA1
e4517fff95fc89e14cb11f023e23cee1343ae438

SHA256
a9728cf332b2093349a8b58d7bbeece2d94d70058240f037ea128ecc8de5456b

SHA512
501f99dc996db2c2ea553d3c3f019b83b1f396d2b91bd854dcdac204aab3e4f105952cd320c958ad59b69ff7d5c778c44fb0959687198e282a7bbbb6c788585c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

Filesize
581KB

MD5
2d46ff62594fe8ce433388cc459b8a37

SHA1
a0fc9a465c2e76c73b5719fb34c4559ccf696c39

SHA256
cd998c8a63bbfd5923185749ad01e0b278d978200fdc66eecd78f70f3e23d2c2

SHA512
d4f5eff716b63753eaaaa3f0fa41afcf4e59e3aaabbf913425fb7598035fa741b0e8ea1cf7add39069d254581e3973ece69e0ee3b9f69d442e91a0e5af351e44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\pack200.exe

Filesize
581KB

MD5
5b4502729bb2c3db34dc696240b689d1

SHA1
96c6b86cc9d692499cbf3ec402f161d20e521fc3

SHA256
2b689832461bc4291b1c18ba42df3eaf87ac5f7c7f9526c6d85960f6ef9ec1d1

SHA512
3f8dd12fd552a3f296d6c3c29262bc716dde2907845024e387cc91d52a9f2e551e2e471d4cf2f68af45f11d53a46d8feb94a613f315869b7a55fae72fb8ca5ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmid.exe

Filesize
581KB

MD5
09f55eab4f9af554354c1bfa92bfcfc3

SHA1
04c49d2be3c8ec91c790fa5656885d51e0cc8e1a

SHA256
be8057de81978f5c0be1981c26d332bd73b38721adbc155e69f5f53302a556e5

SHA512
f7c790df29e3d2583f3b754c5f478415b29cf784e073f34737aa454e2568deb0d7cf2a5e25e11cfb8c93c67c08936a2cf86f73b36b4f5d42778812a115670caa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\serialver.exe

Filesize
581KB

MD5
a9a873fcc8d30ac4c5c654372f9b93d5

SHA1
8d06a4f02fea6f72f305dcff5e8eae514d3842be

SHA256
b45dfa4b30db7642af106a805abed20fbf06183de89b2ff32e3757eca696ecc1

SHA512
c895f5d57dca89b1d4147da51dc5dbaa576f34ef7d843c1a78ad00fd52c0d657d4c7e042ff8f537efeea13e6025c6f02a044c95ec3dd8f43e2b25261e1afb8d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsgen.exe

Filesize
581KB

MD5
4487abbeb43f3dccda8c0500293d1c92

SHA1
50fd48c3144b5cae42156e15bb145f9a1bada9e8

SHA256
753ec0ba8069d889dd1107669d02e6b8a62cd0520bce186c31068763ca79fbd4

SHA512
c0ad4197710bf0b14fc8ef112361721409638abf6e0df27350caa5c215e7dbddf0f03a0146105d01cf8ce45829e15feac6964e99f482097d2519c372c646d52c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsimport.exe

Filesize
581KB

MD5
2ecda8ca4fbd4cb7a4dad6bdfa7b5639

SHA1
39772b161d41ea47b53b3953fb409136e02a3481

SHA256
3f6c18578d3986b14cafac914803fdece6695cee20d3a67e0a82458d54a4806b

SHA512
0c352a011fa1c7186d85777199019c02f32882b26e8dabe2ca183e28e94f9451b9a61a710471d76c0d821286e7be8ca46ae5a30a0f203150f64de47866dc5647

Download Submit
C:\Program Files\Java\jdk-1.8\bin\xjc.exe

Filesize
581KB

MD5
0d3003cbcfdbeb78aff006e2f6d04061

SHA1
54655b7ef5b347b7e33e6f1b2e8fa922fd116cd9

SHA256
23991b89cee59f3031cb44356fb2c98a125d634c31158aa604e524b41a9daf5e

SHA512
25b831d9000332550e677b6ff995aeeddedcf2105d15436a068f3ade0424774e5d13f42bc94f07a2820130f550cd30402aec542206300e965aa0a7cb23b8a2a4

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe

Filesize
581KB

MD5
642735dc69a911934049683e088340c4

SHA1
c623aba6e0bb9311ee4869cf6b5217e4ee37ef3f

SHA256
e4da68d51abeffd5c05bdfacff5b463bc7ddc33a5d71e8a0fd32bbf4870b48d3

SHA512
fc088dcec3e4f74bac2eada06d225e1f0f3236a9da23954da278df57106b69e3181967c4a8dc196f81ee0500b0a545444554bd0c46e295cefd5ba196ce3f4df7

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\java.exe

Filesize
841KB

MD5
b72192fbd9378d2cc041f63e5c559814

SHA1
6efb38c4ee4384e340b2ef00503a9fb879e90512

SHA256
e7ca4d422191a1cd66c3c9b62c9c29514fbe233a6a9d870c89354ccbae3fd6a8

SHA512
a63f1395e913d2620803fa6cf9ba231820d0b2a8886382d1a63f7da449b5809db31db5deb87528ba40117c0d9358133980f0d4598bef62544684b46a25feffb4

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe

Filesize
660KB

MD5
c4be40f6724d168bd429ca9d5b288d16

SHA1
39f1466aa0198e9102254fcad738e32e5f7a16ae

SHA256
e090a2f02758fa07c7040c46c8cafae58c08fce7379d605e36d202d58cdbec10

SHA512
f645857f9c5c74d44c2dd027b5dddb51af07f1cb17b6d691d42c8779f41f8a26722d37b0d8b929a333c60593ee7b2ed505252adb1276292ce6bc296576c69a80

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe

Filesize
1020KB

MD5
727925c58af9f07fcde9040f0c9f7c95

SHA1
86815cbc670746369911f680b456658b37fe7231

SHA256
a8d7bf8de93623d1e056b3f8c9689155006424f9ffe83ade96f297934be8a2c8

SHA512
b5583674f6090a2d030c0606c468913d95b9208494dc7b0d52b664a3545cc42411b1726e843702d82d5a40d3748686ff636d1a3c3670b43ba8f1db096bd64fa5

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe

Filesize
581KB

MD5
ea2ba493d516fab756a8dab61cbec9f1

SHA1
f6c1ad9949afc235de16507b88201ac00970a53c

SHA256
37204cdeec38c8fcde4cb97e8f600e47f14403a6c9a53d392880ebb0847ed496

SHA512
2c02b9d949d9d80ce3551a7a8dfdd6777a1beeefa146a794c36ac00b078d450d6b60399f7ad620e569f19c340d446dabb087424335db5e7630af756c34fa8ccd

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe

Filesize
581KB

MD5
3b4486722534511e565d7fc787047fd2

SHA1
743cded2b4fdcb70d70d6c47174e57c11bb9b023

SHA256
b4af94e7644721d4e235ba8ce27758808f5e1a993285f964ac73d79b563ea024

SHA512
e32fba53525a85624f6045b09eaf6d01416b528b0397b54a0c96ceae08072aabd460e688e41f6c519f94ce8f43f9822eab317ced6dc3401197097616d307631b

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe

Filesize
581KB

MD5
bd1cf4d57424e3f8a557525e080b8c17

SHA1
9d25c986873fe2ae2b9b54e52e48bcb75c8c1efb

SHA256
61e3bfc1ba3a908b3aed0149f4bf744d3da27969a16219b91e1427f0b2d05fa7

SHA512
9147e8be1fc16de1105fb03aa9caa7006164e7ea025f35477ea8136b0fe43499a23b7a0ae365b617c2e87a6de9810a896e03d0818f0cd80a5bbd8fd8baea5936

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe

Filesize
581KB

MD5
8e909363b9c61140c047ae3d6d5fc1a5

SHA1
a13169693934542e7f314e231f917a2b283828db

SHA256
5af7b954c7a4e64a79b52e3b8b64440ac07e33d21cc8140dce9eceb16d5c15c0

SHA512
ed04941ca26b45f48074c807b90de4980e9c5473a570cd1017a592e44c45758b97b5c3efa42b987edd6ad7f75e0a4189adea02cf20e7ddf6787c732deb782fa8

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe

Filesize
581KB

MD5
efaf362480e8cf548a5989b600e734c4

SHA1
191a3491bcea5a0dcb6529b9ee721dcd2303c054

SHA256
cecd21a5b5d707a6c8781bef9d968762fdb2d471788964c6f2d4ff6fd7d8bf30

SHA512
67627becc44f4f81f8834141c1fca2a1c894faa3f6b27c56d80eea522065a199bc0beba82ee5ca31f448cf26da43a15fccb681fd6ef475ae9b1c4b2deffd385d

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe

Filesize
581KB

MD5
bf9452d72dc75f1abb377a3cd16f4543

SHA1
b8fe02881963976e9babc0d71252d8cb48b84b3e

SHA256
ca7514d2b5129f7e7310948ace561322ad15978c5ed772b803aea1732c35393e

SHA512
9fad619d8b97c98e0180e5de283ac7ecbff611a17e50f9a6caaf73eb943aec66c43041afd293edf00dcc7ce860c9b88d1a3ed6f0f2fd47c4ed7bbe8f1d6b3d0f

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe

Filesize
581KB

MD5
0a7632b5eccc4c370fcfdbd9406bca08

SHA1
588836b6017bbf6f8b1472598dfd981c73e9de57

SHA256
6c4b445e7a463bea5b7b9627c1bcfc7fb8a92ebc9c5658ae1ba5401e8bca407a

SHA512
7c209108d10fa3f06ecd8ad717265fb93c47a354cc2b52bad834ecff95c813fa6b65533beaefaa4031f5c8eb2cd126ff5b3ffb5a6561f3bab838bf7124016a11

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe

Filesize
581KB

MD5
c0720046e5e4f6742b4e16bd0d558d30

SHA1
f16361d5df85d898a6455b6c76e8c67ce9d4ad90

SHA256
cda6eebf1bb52c3ff33b4e863265e4c2c3c6cbef5d9709d40acc16412667eb7f

SHA512
152db0c4493750e625c6289a0ba423183a716e548abb02790043cc23329a6665ab420932655a2e95236cb4c39d15f6590dd5b5a530c245602ce176629613a809

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4d8d3678161446331fee393b22496f19

SHA1
f9ebc54f8c1741cac7d056a74acc5ef443acc839

SHA256
6b63943da9ffd743fc4163da67c764d2cf5b23d92e3d661af2bdc5884ff86232

SHA512
380ad5fc9b9fa484a0c9f6fde300820638d5bf189b5d38cae80db3c3963121a7fec757c7bce5e47b811330bbec3c28287dedefd0aea369fc3adc2696a3be4be0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b7a0ee9afc8bfd57418e2e56674ef2f2

SHA1
4b0ba219ce214efd505c81fa2d96325be9b2dae9

SHA256
2ae5dee513db3affc429fa9a8d11d8146a1bff1b1098b7f70a83d5f5ca9c0042

SHA512
7500cdb2358ef8f6ba5dc99b0191662474973b6a21df2f20ef511e7ee13a04792bcd8848854be5c7fcc359a19e8e82006910c8cb77617ee17a04f87601a2c913

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
dc6c783213083c14dedb30c54b390b4e

SHA1
9862a3fdc70bcaf27beb62b4ee65c502e41057f4

SHA256
64ebd3b6501fc03fd3e01b87a4fac7dfd593b5e2c5cdc9a92d82ce9f5e7d3df1

SHA512
0807f285cd47a91a6b85dadd41f0ce5f33e37a4f491caaf8b82f47f6ab5f63a908dac0f3d91804c6c01350ea2295a68eebfa29e4b27825403cd59d861f19d9b5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
474ad9299b8f6552e67a157129d27d3d

SHA1
1d08e79dfe763d2a36d0c0c0d61e4d975194cd78

SHA256
2ae6375893a9d47aef6a139376c2708d0bd9f1fe68f6ab2de33c7fed7a176e75

SHA512
2bacbd8dfc3ae758f7ca979f14e11f9d9af2e13cd65dd2cb93f2b999cbc4d95f55e428b5ceb7e6398663da793b5e9e1daf3043003dccf81238898b3f4a980b80

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
02d15971194587317391b727a3d65a72

SHA1
556ef49fd6f13edb94aab8a2b7519284e43c5976

SHA256
902523a5b84da582959a0b510c93cf1f4c2a4e19cae66fed386c0564a13bc048

SHA512
c714d2550589c99ba6cd2e75099e78f7d5cc9c76346398dab55232c348bb03b1599873505d9740712c9bcf511ed32e5b0a5424126863ec97251e023fe7bae35b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
552bd15495872e32a44b8bfc0f8d9364

SHA1
0bfb3add254c98f1d9a4e88ce5fb105e10854fba

SHA256
cd6ba58b6246f86998a4a043fcf9aa89bbc02f9eca9fc9f73baecc5a1b9ed405

SHA512
70d570e5aa85cfd5f8d67fb13626b2d5d21d3134ed47228fda66b0e9d6fd2b3aecf92638ae3c28533b148c3a04db78d71094751421f6911483640e6d4bc4b24e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
0524cc12731442f959a21a266f814fb8

SHA1
c6a7adb34be4687e0be4b8d15a180903206c42e0

SHA256
93e0d5db5b415e97e1dc18d9f94ea3d327a1ea43587b4fce4ef8e7c7b5428b78

SHA512
e5a215569a95e52148c7932d1cf5578a17054f537ea018339b489b38336fdf49643dc3c3b06a6eda114aca6fc07c286f2adeb1adcff779acaf50ef99b5f14ac8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
20faf6c7123494fc9541a36cd50c3120

SHA1
22beda425b1174b90c12db4a23437bd6f64939dc

SHA256
7f31639f33b4af87a23f8e726cf5af3dd3e76cf3b4d202e793df99138ee2756f

SHA512
f3a9a02fb03459fe41254bc594ae691c410089b81f205d06030fe84674527dac3bf401e700d4487f0709c5480fadff30d4b4944c7b6f1362133d81bfe98c7b4f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
397eb2d4d33244c4a41d3f06f5b07f59

SHA1
2846a80f03b51510dee3150a47bb96642e8a501d

SHA256
2e201876da45914dd5ddc53eef60326deb5862c3da18c09476993cfebbcc960f

SHA512
c4ff0e18fb3a9578d2aaa4feba4142d4ea4b4e3b14e4a7fdbe09c3bb0c45e7116d8c5abfa5a724b1031383eed478a206c485a08f46b3b25feab3e2cd4a837227

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
edcdc85d65ff195bf460c286ba83c3e2

SHA1
f7e02ad2501b3d858c335d88cf03ffdc3d47e390

SHA256
6944378d50a77e6e24a496c95eae068d3eeea9714add4b3f8e06e7c4ac64034e

SHA512
9d232a285e348cd3bd5a0dedd30086fd6a7034ab96f5de305a9f737811129355e88ac76e7860d1e566a7f1bc4fe886e035524f75e1a53ff9ecbd97902fabbebb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4cc79e43e3cf89df66346aa9e1111b3e

SHA1
a28a00e3977d58d08bc0ebe7e8c2f5f6ddb1ce08

SHA256
13760e47c1bc642832fafcb754312475244895529b2cc0cfe1fb4ad1479f13f6

SHA512
af21cc4024f75a1e3d35d1ef2fe40115e04847fe7c5e1ad4b1c4614f4898fd582f2fae0d72380cd6bdb0cfe72b8199fed484a4bffa01d0b3a4f50f512d69383b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2074877517fcde633a593b6991683297

SHA1
64037c2f525f409da9302443f469e671c98e0478

SHA256
b9aa4387815852f6c8292886abeead60e32fc1fd8951e536e0daf390380adb9d

SHA512
bfe91b70ab8b6ba6f44b32f184c0b7fa955559fe3971be74417ad6e460b69cf5252cb1f2aefad95450eac7aed961df3a41de17bde0a6e199c466e5e9a120b7fb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
125b01fb58b66669093cb5c768582504

SHA1
65c8a9b96b100df88c6c924cf28621c16717a0a5

SHA256
63832fbc5c1f1eeb549cab9caa269a78c20a07646187ae20e26a2521997cafe0

SHA512
1f0b075052ef6a8f97687bd5ea77c3e2c19e9c2c52032cc67b002cf263acbafa9116e4f783989fae6f2706594c5bf053a129a95c1c89005406e58bcf101e065b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ad18a79675caaabb2c7e8ae5a8a6a3c8

SHA1
7460152a27c93dc6ac07618afc5311b8d3bab495

SHA256
eeeb7f21dbc79c48f0512bbf1c8e56cfae3cd4bba63695bc6688f89dfd479aa8

SHA512
84076ad5c0f3bc96a5eb966ccf0991bd339a07aeff34516cf7f7986394c74925dbbf40c2c7a86b61b511a286c46678ea62ba0a8a1d1d0be829721eb5341e5ac0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9306ec05e46c1f70a91aee2a5c5caad3

SHA1
174765ce51c019d8720c1826811e78448b8b90d0

SHA256
958fa548473f48f3342a0983799862c7a21e09c130761bab1e5c16d373685c3c

SHA512
b49b316e76d0701b28cbff4e20fe3056e0ec46da7086612416f8074d38867bb5ac53751f287c79e2ef9405cbba958cca273ba555106c996ac66e93e673142dc7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
70e4314ed4ef2528b5e948b1475de641

SHA1
2c355d0a317c8bba035c5a0a4ee0f3b659af446f

SHA256
b394b3a3b856eccc4ab88742a4e896d051f8dbafdcc0b41b6c1f4903c7510b08

SHA512
95e6b81289da2c84c61daeeeeda7debec0133705505f383b22ec8bc72226c8550ab677af569d69e12359b82bf0d979551e5b31ddd2a3a4022fff4f2d3aef4fbc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7a273884329c34277953402775daa5dd

SHA1
dea635cd8d063d18503b4d4a8a73f388385e0051

SHA256
1f0f9c73751b2079914c4c6ebe356028030a08278c9255ef5252974a71b89413

SHA512
f6adbc0eec3df71043480751538ce24e04ab182e62d3309aaa57cee482bca922f448155ef86aa8dfa39123158ca3ec5c4bb60e295ffa5f413d910c660d0c2756

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e1c6f2dd0588102a6537df53470a7e74

SHA1
cf124a036be479b53ea75edf0e62623f8a1b5d63

SHA256
f0884b76ad895399daafca01f137beaba10ee636330407dc93b86b77f9ffa38f

SHA512
02da177bf5f22a22cef99e7f12d414e2c0f17b02f3c46a7d07558f5f804a62023dd8e491f47f77c0605d1ba5dcd1c906e75d1317edc9918b54e2c22801f7d37a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
13cd8fd02368d5ca3f7213bfe9ef4b89

SHA1
a55bdaa5c54d6a76fe1741ef0c9b16e47334c935

SHA256
9465d19dd0fdda5343191fd4f61d7086fde1db74ba16211e93c8c42ba0279fdf

SHA512
a344709aba65b0f86769f00d30ea94087c9d2a5920fce25a1d1ddc7fa1e9a8cd08b5efc0081d1e41d9a0cb5114dd8f331aef63fc197362665254a0a73c8e950a

Download Submit
memory/232-153-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/232-142-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/232-148-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/232-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/232-150-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/376-264-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/376-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/376-527-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/376-1-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/376-8-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/620-126-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/620-329-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/620-120-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/620-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1472-259-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1472-686-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1484-244-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1484-602-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1520-265-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1520-687-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1896-245-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2784-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2784-111-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2784-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2784-119-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2784-105-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2888-21-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2888-276-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2888-12-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2888-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2932-231-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2932-157-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2980-330-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2980-693-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3032-692-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3032-310-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3340-683-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3340-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3360-235-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3500-234-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3696-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3760-232-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4152-308-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4152-691-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4236-690-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4236-299-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4476-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4476-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4500-275-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4500-688-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4832-100-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4832-86-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4832-103-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4940-450-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4940-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4940-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4940-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download