3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 19:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
Size

1.7MB
MD5

08dd4f41a0b8617d265a7e6fb52fc54f
SHA1

db64f2f63eb8dfeb3fa398519b30c60f55003f2b
SHA256

3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d
SHA512

a0bd5c08c04d7199fd0798351b50aba515223a302b5b6bdf214e602d1e8a79f46c64157ba5dc81c32fea78399f6571b5fa0a327b9ba6c3ddfe31e0787d8119f3
SSDEEP

49152:fKxNupkTcKb4rSUfkVFjBCks7R9L58UqFJjskU:yfupkT5NUQnC17DVqFJU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1356	alg.exe
3696	DiagnosticsHub.StandardCollector.Service.exe
2384	fxssvc.exe
4368	elevation_service.exe
4720	elevation_service.exe
3936	maintenanceservice.exe
1332	msdtc.exe
4912	OSE.EXE
3492	PerceptionSimulationService.exe
2380	perfhost.exe
4456	locator.exe
1868	SensorDataService.exe
4728	snmptrap.exe
4444	spectrum.exe
2304	ssh-agent.exe
3124	TieringEngineService.exe
1212	AgentService.exe
4904	vds.exe
928	vssvc.exe
4916	wbengine.exe
4560	WmiApSrv.exe
3068	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\System32\vds.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\locator.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\System32\alg.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c56edb22dbdc151.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4896B57A-BA2E-425E-ACC6-3260D1FD1C27}\chrome_installer.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036c4248ad906db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bba1df89d906db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002937d288d906db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a86678ad906db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009bdebb89d906db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000963a7588d906db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aeb4f289d906db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4032	javaws.exe
4032	javaws.exe
2180	jp2launcher.exe
2180	jp2launcher.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
Token: SeAuditPrivilege	2384	fxssvc.exe
Token: SeRestorePrivilege	3124	TieringEngineService.exe
Token: SeManageVolumePrivilege	3124	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1212	AgentService.exe
Token: SeBackupPrivilege	928	vssvc.exe
Token: SeRestorePrivilege	928	vssvc.exe
Token: SeAuditPrivilege	928	vssvc.exe
Token: SeBackupPrivilege	4916	wbengine.exe
Token: SeRestorePrivilege	4916	wbengine.exe
Token: SeSecurityPrivilege	4916	wbengine.exe
Token: 33	3068	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3068	SearchIndexer.exe
Token: SeDebugPrivilege	1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
Token: SeDebugPrivilege	1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
Token: SeDebugPrivilege	1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
Token: SeDebugPrivilege	1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
Token: SeDebugPrivilege	1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
Token: SeDebugPrivilege	1356	alg.exe
Token: SeDebugPrivilege	1356	alg.exe
Token: SeDebugPrivilege	1356	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2180	jp2launcher.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 4032	1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe	85
PID 1992 wrote to memory of 4032	1992	3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe	85
PID 4032 wrote to memory of 2180	4032	javaws.exe	86
PID 4032 wrote to memory of 2180	4032	javaws.exe	86
PID 3068 wrote to memory of 2960	3068	SearchIndexer.exe	113
PID 3068 wrote to memory of 2960	3068	SearchIndexer.exe	113
PID 3068 wrote to memory of 3272	3068	SearchIndexer.exe	114
PID 3068 wrote to memory of 3272	3068	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe
"C:\Users\Admin\AppData\Local\Temp\3d14846228fef9a2a14f325674c81e7411cfa3f9ec920e9198fee137d3b5108d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2180

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4720

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1868

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4444

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2304

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2960
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a745e8363ea9984f8a4441e2ad7a6648

SHA1
bb7431e4829aac54534fe5a64108815beaa46aa6

SHA256
b90f0ad72c5aae0c13608a1527902a0d6ffbff2538772772eca41c1d50e85e10

SHA512
cb6705d90c45a18dfd2f8676034395c33cfef1cc936c6e42bb2d035214affb9335394ad6528ee093ddc255059136397403357b75c08713f695299b84b7ffbba1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
678de7c2a6033dd0ecc6355a838d100d

SHA1
3ee0d8b5bff26eeab1470f9824da66c12c3b0397

SHA256
b3f37187403fd4d9d71917876e260a57caa4872def1e38169d3b7f5a2003b85a

SHA512
1c1b4b2da06ca6d8b29e47fdd3f8126bc472b76b776ce3e55f94774cff3242ebac8217d5b6d6686c6f1dc23a112a74afdeb84e0aa41d65b3624f40947284cc42

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
8cc59d1f89edccf7246fefc3fbd90404

SHA1
63fcff258299d3c1e0f0bb44ea8ab1d07f0835f8

SHA256
e45072bf660bb0258472a359ba36d98f0eabd95a3d7e83ef71d1ed755c60ffd0

SHA512
e768b693ad3a04ef0a84bf21ad668ebb6bc80445fb0b05de4cfcb8b4c7a1948c52f2eeeeddf16f59e8c4593450b1a4ef88f6da62133328290856e5e5eab20bad

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
253cc9e2170ba58ced6708527661a9d0

SHA1
aa9cde272a94864919cc934271c5f19a262893df

SHA256
97ec64efe73a6d4f337bf52462b25310a5b51e86bebafd5d995e26b58dbf30c3

SHA512
566396f6e6d3dcd01a84a5c452175759c6a84d69e7b60983246531d82597d380cb129d698df7e2dc9c9f83d3a19ee81c55949a4d69d8490b4af88d1f0ed0287e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ef7f41257b88fafe3d06b348d19a76ca

SHA1
c87bbc2e5f13af352a57cdd48133bc718fb8e4c0

SHA256
d2b5dd0736b5d3461082f81cafec2d5fc59b3013ac15896775fff2d0a6fe78c5

SHA512
070abf31cb8e281e2e4cc47b99028b4304b804bd42e26bba2ce21cbd2db37243e785b620e7cb59d6fc2c0b37efcaf83a91d44eb4a53cc760ac80e2b391b38bc7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
4cc46e4c9743940f4bb4bb553a070d82

SHA1
ee46b7cbd00f358bf187d33e52d43c074f1833fa

SHA256
387b127e266dcc073e2aed1f461f5e8ad965184a4d038f1360a2e43c5129d059

SHA512
93a3534dc78ab4b10b28e2201c105f96d49d95774f98d2507c93eb0c17177d1b69fe10a8cd3e59737d05483ce326840c796b28626d5794e02af982ce8aa7b5e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
495ecd6526d585a63abcad23ff9f1d46

SHA1
08033a563d17ec1bb14c606ba281861b3760cf8e

SHA256
40ee83892bd6b102ebbff1f3859ba235c607b0579abab24c1bfb9211a3055c7c

SHA512
dcb55e9cfefd27a73f3ff88522f9c3668b3b7320154820d5d19264db8e448d4d2fff220b0db3a901505f26a38b5fb07c3b42323bbf073f990cc124c46fef8be0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d3356614c95f215ee3800f516e28d653

SHA1
10af37b154aa58a30956e79007e10dc8ef1706bc

SHA256
8e5af96c4ec2fc4f7c5a0e96f3bbc65650d72ecd3911a65c37064452c8f4e738

SHA512
62b9b851587b64f763b47da6c6e13e94faf3e6138ec80ab40ffdca1f0e7bdef75e148e23dc17e547183346129a62f22f529d6b553f078fc20de789bed62ecddf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
9516da540a53b0761a3472aa21497f68

SHA1
172f84ec15b7649fad3697b289cd6b4ffc232bfe

SHA256
8f8d4aac9ebde4864a97f64092373a390537f9bb1f80024b39616303376c5a7a

SHA512
364e79388fb7508478b68f18e7bc819762c3be5a08e549d34385ddb7abeef39b2156f4ef753cd2cbf80212906d155c0606e13ea4fc9ee9403760fc684d3f9e2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
aaa98cb3bc94decf122042256bbfe216

SHA1
d3a5646022b65be0c3a8d2b7a12169f04e5394d8

SHA256
97773e55813fc693255ae8dab2b301bad3e3098f98d24f836706cb5670c24120

SHA512
398b58583b01a3c8db3e890f52405566e941b62b3e5fe9cb645e697a9db201e1d575fdbb1605b07b81e6117a0568c4e12358f9132b61ac21ecd437ebc2d9e0fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ffb88f184f98c17a9ac1c8cfa9d9b278

SHA1
6ecff237aad46c3cd4288f2a00ba1607029d9843

SHA256
87478d100c64b588a8d68809d469042298f7806e3491f4ead2227f805343b9e6

SHA512
d6a5967a6f52b5e3d7efd07c8b74c68ebf39f6b5f3c9dda2076dab92d648dc7a4a317d7efb4e5c9a47ae3809e7bd7807590f8490725041232d136de3f8f739e9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3c17da6c548eda72fd71e46c73209e48

SHA1
892483bcff556ca24213df5199a25aef95815b02

SHA256
6a3857dde1cd41201e401a5ef1c217dc9a6e085e1182b7544514f9f86910dac6

SHA512
46da1df87a9b62e3ffbedbac66f56a495d46a4dae6bc602dfb51c19ba3ac93c719bc79cf3bc564982e9fb620e9c4ed7fe5c187f7e85b54db43fa682012547b7a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
7a08098b63ef8a09ea7aa99b33875fd3

SHA1
513877cfc77aaaf52ebc933ef726493cdb88550c

SHA256
ad208b5b7898415aadfe3f58726052435275c9a9351afece8c5557611963887b

SHA512
36c7109f6bcdcfaec319721e4f72008a3873a8c29e7ba7c5e145e3a3d2b48930b1be400b7719f6edc9e379820e1e2df277c24771de2de5f98fe5964b0126683d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
748b84de8d4e115215a37bc91f298c5f

SHA1
5620acb1eaea384041a7649e02f2ef3a90e2676f

SHA256
e6bd157f075a7719eff051ecd027468cc01c2d591092d69ea5407f2b46ff01dc

SHA512
539cd0092ae3b67f0ea9de2926a6d895cb44734475f17e2ee9700b06740f8c11fe2dc978afda6e5194f16e5141f2de459a4f7883e884f534dcab526fd0712976

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
bf6e74673548518485db16e720ebf47e

SHA1
33532449e6ead2351650043dbad3108d64357b77

SHA256
0274b79584ed1c6e4bdb69e902cfeefe0e73689365967f321c388a2d2aced86b

SHA512
58c037a0e9e726ed8a6265424b87b433d14b41b8215eed46dca721fec31ec710093547b591ecc8b0e2d77bb36c8f47916605f685282e76a94deb44739bb6dd2e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
aeb3aa47b7772d79385a75c5bf6c7f0e

SHA1
1e21844aa63e5b032b1d60f84c6396cba52996be

SHA256
35aaf741fa835ea5fcdfafbbfd83fe757ef3a3d4a72ceac4f52e984e4957bc55

SHA512
03834fafb9b3c63d77d00d2242197f192dd4a587f0b2a6f9edf74cb03211dff893eec694f43ca67f7c235e3b8c12b834e34b19464ea06813fd69cb3bb54410f9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
33935b88c891cd9930e7716aa734aa12

SHA1
f23443c523e7ecd04213eaef3a8173bbe31867d2

SHA256
d57941cc01051b82704aec41febd70343f4ba9d786e3ccd102e9a70ddb2d1152

SHA512
678f6bfdbc735006111e0a1e9556be9d093ccc3b6280fd9beb56dc41d6ea5c6c7ed0be1c14b032f588f97613b50c9fbdd5b971cf65b043790a314caa0379d449

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0bcedeb71941ea7328c27da7eb2738ff

SHA1
b2678665dc4cde130ad623e70886c04aff00f9f3

SHA256
b5e3a7469cac55455e8f2eefa5034eda158e785d179ca46230fdcb30031963e1

SHA512
356969aa586165637e884458a816057444eba4417eb2b327e01ca424fd3408690768145caec2ffea85cd84aabed1deeeeff6f789bf4839b090d099e026591480

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
a602d208b84c29adab9e2e477ade73d9

SHA1
b9daecf656177c3a43421c353a9ff63e8c0b7d5e

SHA256
1c32ee11dab8e3bb36e97706be45af282a9ada204e0fa40180ee48e5ee8dcb04

SHA512
439ba5051e05b5710cd8356065408735648182cb8e34317dff8e137bd155ec1f6a9f31d0969067f5ff424b5feac58be9c47adc4fe7b3810a06991a6a88cf1248

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ab4271e3e569b036199c7fb9bb162fb4

SHA1
dda2684e93d71be5d8efd21c6a165cde92c8c650

SHA256
fb74502b5b0bce8a7e124a3c1e2c890d2dd8c0e6c1b8fcecd479ca64bf7ae543

SHA512
8ae9fe294f177f6562917763c6209f949c2fdb0f404677c29269eb57d94059019cac16129453753a1de0e1c1e6a6b205dea7e55f336b97a4b0ea0abf0519d075

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
c3f2fd5e996e023d7a77c870d9776108

SHA1
d8e205e54183c649bae24c27a193a80f24a656cf

SHA256
d0b0b8a74ae2f5baaefbb1e4e4a7921523c4b1967816f817bf3483a0ce5e7f31

SHA512
54373b94c653e14c92e51a1684cc66d1a2f8a10854f93b156fab012e81e4229fa42bb64df0dd263b30caa770181ccc182ffb78ec4ed7024a4916bcafc3496d3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
55e8f9974d782d1a74c83ed7514f0b76

SHA1
4a04e6ef28fb47adb71b72b787ae8524a2472988

SHA256
07f72388b65b4177ecedb868711d999cf0959bcdbd76d37e401dc056bd056de9

SHA512
ed98c86620e5bb3c17ea7a46c040d2754e0b838f868a3edb091627b351f3ed7f8064fcd67f71e055e875e254e066895d3e1d922141d4b3ae3a8b0c2e888ba222

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
95dee2af0c4ebc32ed80ed2e3392b641

SHA1
6ffd228681c614fd43ad3de6c05314406dbb2373

SHA256
29b30325a0f43e75ba02082f2e9891645c5ec273672a3ef8217e65f79c4513c9

SHA512
f8f9cf3fbf5f56133bf98665b1d11758c46238fe0dde943246d440560198e7c7d2a65773110df8b6ba5ad4f9b2742bb0ae2686362be6d093dcdc37744f26b654

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
b6108bfd50e438a5ff3cf5a78ac46f4b

SHA1
9c15be444281a2be4ae1be217a287b3b1709fcac

SHA256
60e1fb117ecd23f16a805832fc34cf5c0da5ed3a7142ac04ce79020d5451eb31

SHA512
78ce0b48a6b85b0a5b403a7e1a4d500895d9c0acc790643158c75bb849c41d8b1a63f951c5bcf673419a37b24c08697cd213e5d5579db823ee01f06711a61647

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
7056ebf51e1638247902d2f134ca778f

SHA1
0ec5c2060c478a384efd7005868aae7ab4df95c1

SHA256
1e19ed25ec8ff2d9a07ae81d39b47c34bd85761fba1d5af1f92676acab5f71d5

SHA512
25ef3ebc39b754953f293b1457f8b54c9b894d34026656ef716454d91205920149deacccef611dfc55abdafd741d30ddb886004fcb19841bc58f98bc3cc28b51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
11d3f20fd342aa66193df69dd150e453

SHA1
d33e36a1581fc9ecb83fb0907be041938281cca4

SHA256
404aedea574df759c95e7a2d7a0f365e9449ca967096cc6270125ab0e3d15567

SHA512
d5776bbc68af4821e199d6f8622dc669ff59bcc4afb94d040cb6146f7239c75eade660e54b1983759a35b099220ec0f963d72faf0ef01718e2cfd6e70ed6c54f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
ddcd2e0018a6958c6adfb1bacd51d67c

SHA1
06a100d21c58ddd828cba1519c6f7481396f57d5

SHA256
538e78314c6944845f941a5291691cf1f929c30a120b38c53a4421bd8475b7d4

SHA512
3017b9437d91b7a56533e8fa34d7db1dcb5aa531a96225abf1431595e815c6764dd4df0c2cc51fd3aae89f2df72761cc0babca3e2c1fe8050a954556915f0663

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
febe9fa330113b284cc3e2dc4f9fda22

SHA1
a1a098fc59e00ba478b92f6799d7835b667b4e2c

SHA256
d88ed563eeac88300696e68f45a62af9055faf5eaa32bc6fc851807f2513cc3b

SHA512
a84f6855ebd0f3a656a36297979d05e3ddd044a08fe59869e8fa45c22af5a2656659d7b81d3b9b194729cccc12ee7784f3c3faf967d3a3b2f5de1065af5f0124

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
100035a136690b9c17f969b1a9c4dbc6

SHA1
a922c183f1563dba9af4059caf7bb2aaa0dd5790

SHA256
a909a775e25ac09d1d536ed4c615cb1656bcbcc11049fd18f58a9608b6bb02f3

SHA512
2b32be73da10aa6b3c0d003ae6ad72a8a769e4bc07b74842042a34ac8fea72b8d9d82ffec3e017ab6a4bae11382a4eb1ea777de01377d58661027be0898ae735

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
cd8d3210d970f4326f76df3ca8f3ae6a

SHA1
2174e7e1e849635e0b6965521c49f86d53f15464

SHA256
cbadeb7604ed736b3f662c9b3b7c4d659b608e0127cd5ad11e1c9f4c70a16c13

SHA512
264457aba39f8869e5409ca3cf7bb5c6a628afd9e93ccb306e847b178e372c4f9ce5991cf4f0dbd8874ad8616f5c62feb21b6c87099d77068b27fc70cf86eb83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
db3e5398cef1212246fc882c1731b1ae

SHA1
f48fd918f86faba04f8a1ce0ff87a50535bf1481

SHA256
953dfda1863015fc0e2bf8d050f494cd0b3762926ce9ae07946340b6df83e8c1

SHA512
dbefd38abb7c85e8a5283844a823ced3fbd1b5625b4167f1c2cbbaf05f80702fc8c1079ea097fdf6abd9c16d9ab3f677479615ede8e310e00d26df2e6b7edbb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
4e5a10deaefdca6f2c5c6f2ee839ac9e

SHA1
2390064f35c5b45b26e5255eda0c3215c4ac6c9f

SHA256
6cbce56725e660ed4fed312d8b689a2715ccc81c3a1a31bc8f476b4a54683787

SHA512
00f760f0f6a2449742d9804aad5d340a25f3300604193c08d94cec402bfb7ee8fe1ab13ac561fc058cd7df70233b986e47e7e82162744761938b8771bde0f000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
e3849760f3c59fbcb088c0e4263afcef

SHA1
08e21da91dbf5a632292ff5dad0b741bdaa116c8

SHA256
09524f62e50d0dda81ce9aaad644faa16df3b97de394ac90d4a0acd3f5cdd66a

SHA512
5ed2d2b69a38b184ff6a6a1804c0197e98219771d95652447743f21f3ccfd4594ad473a700ac661295ab27036e91ca4c073793bfae7e02f770d7f12d6813b25d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
fe1f8c676a43a2da8ecfbb44cc6054b6

SHA1
abd4e96e7d17acdc8dc55c78b9b22eb861ebc301

SHA256
8b0e12370f4794691a7bf0111c78b05686c034e1ce9373e2059f70e79efe12f5

SHA512
e72e9cb0ec30cb42e646bd1579db647c17ba02c61cf548ac64442da4fd695d54f3950dab7a27f4ba2b301dc0c18fa82cd7516a58dc6d7b98994b62c146810c93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
78968532891c6ef897299cc677985dae

SHA1
aceaa79bebba5d1f28369737c56ce6d2b453640f

SHA256
4a2a8d868d7742bb900066b02d8e8ab75ace9f17f0f2a217c83599e372300931

SHA512
6ca1f9e6a41b3f1b311cb7a1d9eed9e7784e2e5fd1e148924b6ea5593cd25cf8ff069f481abb5fda4a83a29c88b9843d189a455094a976c768cd24c550ee4253

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
5acc1ad0bfbd288aabe10d168011e522

SHA1
2952ceecd74b959421921e34b252f6403f5d7122

SHA256
c4978797825b2af825bcb606b66e8f9e8a2dbd8f5d08230fac58f397ee592f4c

SHA512
e77618fde23a4014393461e296b2df2e899671747b34626b7c66352b4d4f782904a0ee14f2e26b2235254713776a8ba33e8bf645cf1b7bb21135719109334e22

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9cacc4f444847994d7d62fb814916262

SHA1
0b08be52ed359482a23fe030048f42bfc706b410

SHA256
e013990844f8424db3a444e074d5fdaf4b46750e9ff5fef2eb854cad4f5c41e6

SHA512
0dbc231926ccead9baba0ce300d583ebcef9725a0a2bc6c14c59e81595cdf31d96ece75552c33ed16f96528a7639c47b852f2dfbb08ba083ed4301f8de7f78ff

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
c18c3b7d922cbbd6d777e029a559bbaf

SHA1
da61ba9a0ec63b215b4dfa7e3cf899fab54c572b

SHA256
10050a8e343f8cc109a33ca5003042dade86105f84264106118db5b0a17c9cf7

SHA512
3b66ec7377eed4b73029ad3491ad8a9d632f0d2507670168547d291b9bffbd7ff5fdd2d7b71a296a1b3f825e483f2adb9ca91912d854efdf672dfd5b1e5dcd8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
896B

MD5
05387eb332be1125d3b1163c3485cda5

SHA1
c0e230a31367602ea3f1173bf06b8981bdc1ff3d

SHA256
ba39ba2eb858fb0f6a6bf6e97e1a989aa611154e95e5dc11d741707e2408852c

SHA512
b3100a6e110ae8a72f99b5b286400db1b6d48f8444dc30fcd8b81ec92e0af56dd86ae630e5979e85c210d5569ac0ba21cd04665be8196348b10c288bb362ba85

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
00e5f72258e6c602e6841bbf4c30b136

SHA1
52dbdf9eada5d7b0e015fd3523cca5cb915c23c2

SHA256
905a454fcb15e9f2a469a9a7e6e42b8c6425d20b33a59be5b84818daae964807

SHA512
50f0f286680fd33c29956455ca7e2d293402f369bd2e9079e45930853f1feb6e86208e1c8762d26dfc6f7e742044e912a4efded9a55ddfddaa454297cedc60c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
04c3ff25bcb816874d0e33b8603564dc

SHA1
0d2ad0575d57c21788b1626a92372b01f92762cd

SHA256
ead3497393930f85a4784b8248aa6cd88bebc377d3e8644f3bfbde1d5168b332

SHA512
f7b1d1894e4c4c40b89b4a54c809384beb881288ca0ca1dc45071e4eb2e51e1df3f4884d3b5e40992f3c5b7e5a52dcb1b3f64157f66f852af255fb990f7cc4be

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
ecb55774cade80d13fd495453a5a09ac

SHA1
baca7fcb5a3d34e2a35ab2e798447594e1627c80

SHA256
d92355cde37217fb2e8f2805979baedf520b6714c0663b79879d0324172c473d

SHA512
466de332fa5eb0414c49983603e88bc41461cdaef40645172214d76069bc46b3f3916fd2c49ee6992d1012727477c3217dc9e924efd33a80f9abe3c9fd094182

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cab1e340454cb0331e12734189058b5f

SHA1
4a377bf38a52c33531b77cdc8bdabeadcae970f2

SHA256
b9615d276756115629e63e196fd38f556cd8a948188732c2c3cae27e22e93348

SHA512
6a1df8bcabb49e142ddb18281c18df69f78109c9eed48850e6e8c0fdd30b926b5ef025e43e8a21c6f15b691a1127998a2ff060ab1ace552d1b2b5b28d7721619

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
f14b6adf9f53302093bfa1c1e8297165

SHA1
741a0aad6797b443ec4a8bc17bb270423a22361f

SHA256
7e1d9d95f5bc0ce78548259a4c45d305c9743efb61396261076313bfa1957e14

SHA512
a7d0aa1a8c949e5c4a6d227aefd381d425d09171621affbdb5403d7419b37e390e56b086309e0601561cf1ecc8a37df0b1feac6082ad8766a9db1fa2743751e7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c6e1038c46b0126799970981a4a391a7

SHA1
d3390d61070d97c47a9275e246fc6520431a88ca

SHA256
8363bddeb2a6e11e5ed784aaacb1ba241c158389f1513a6743d063fafe1f47d1

SHA512
cdc638eefe05688fe35c04b7b964ae9aef21408b02cdb825191a0affb064f641abd60e361048c84b61c16ac7d0f55c60d57dfe79fae2c66aebfdaa94a447e164

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
73d3c49976f8dc31ffe7bedf5bc0e655

SHA1
f21447c873ee9336a4e51109d53b3b9ce830f8d0

SHA256
dcc0b39974d5c04cbc1107fb49124e165d68fbe7834ebfa146516a0b88a3bad0

SHA512
21c1f044b6bc0be58b5035e2870d0f3dfdc307e05912e0cc20f613972cb1355903f066710ce0db5e480f050b27c78e5f1c0dd001f952977f4d668ce37b8b5031

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
4cca9ac422ad23bd0da98c1c3336eb32

SHA1
7ea084c257da44ed17916c5955890eb9cee0b382

SHA256
497f5aeb225136817b765abeec6151ed122abc5d4356717e8060301f48928255

SHA512
0c65ff0d3c6639114aca2d77bec920032e3bb9b33a98d91ff4dd1d912f1160310061d122f53102e89e4ef43cb6eb99dd32b04669984ff18067856eb312c87819

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
156ae63b20fb2942473f376b039cc535

SHA1
8ab93e98505ade0ed618eb5a592c1636b9f568d8

SHA256
b683c068a01d2574bd99c67782623715dde81d5f77c7c758c705c4787c464864

SHA512
85fe7426444ea8580ae650cebe6b77f586fe9d147bbde12e68b964e2beb60ec2f8dc820493c633909e97e36b47c03cfcff14426099e0ec9f45143ecb446f34dc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a2d6e15bb4c74eec28dd4afdfe5851bc

SHA1
eec604ddbb46589d83de03e1690a59f563b9c67d

SHA256
da32f8a02468c85a81072595e8ae4ced2e610d642361a768eb21018eaba1f452

SHA512
92009528633f29a840533c5e3443503e56521ce142fdcda032fb2cef96e33119b97ec1b84c645bbfc81a780e6343ba01536e1328ddbc2c2564e83adff0677265

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bcbc0dd0a0e08acb6821632dabbaf967

SHA1
227b70663cad5c03af919c2e1f9b38624e27a4d3

SHA256
7dcc296a8d153969f05113feb92c73ecd60b18e59c36c24f1a7425795984f6cf

SHA512
8ffefa9f514128e01954c0db2246132eec365dbe6dc474221b74572b466eb649f5f52c790dd1c0c80d5031062a53a280440090a36b6b170162c843af65959411

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
47215ceee36ab9596bc3dffa2d2e426d

SHA1
3bce11f3b6aded10c2594ea6ebce45a0902523e3

SHA256
8b0cb1f175ac41c8860555e0a9e2dcc89edefeb8ca0626dbd8af9419af6ce3de

SHA512
96334c6856b1107ff48cad6a8def59012df9bfa2486beba617bf053f79d00036e9d16b32fa10e69d93f9b0a390f98dd46ac5244fa4e0b08dbb31f6e5ba183dfb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
bd22822fd5cddf60f4216084bd1e9cc3

SHA1
977451d4511c0553e4335656f58ecf702e6069c7

SHA256
fb2243b35bce5e09ba5a063e5021b16df7511de9383fe480126805e7210eb1b7

SHA512
e7afb4597a8e0dca7773b583fd0ed4d4f588c9e51aba7438455451add0c32d9dbc632c6ff2014f98f166f36c7b7af6ee1f7655e3c1706a1bb718ae329a6f795b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
eb688443ea994fc215c4dd43db047da2

SHA1
90ea151c38b954a8242526da910baa4f976096ea

SHA256
c0789e3887e98ea99451da1926df730a04d0b67ad57a01748e657a4cd92267ca

SHA512
a6500d01170979bebd7568756b9daf8914a1ec6c77acf699521589a08a101ecafcb5006d77633b6344a8f511c442477785ad090a1e75b74a95c765847477476a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b0e695b2310514e3e33434228a452e7a

SHA1
f263cd55938bf7d5fb8ce1fd23a595364f375b7c

SHA256
aba6ffceafbb7efa22c9fba542b508a9339da051cf9813f8228af3088b17f410

SHA512
32ade843b3d5dc90bda1f2599f6585f8319d577b2a35d062b0d10c8543f7a9edde3fdfd8e0ea501d2c33e5a0304ccab966d856014d87adfe8fd49ca097c2fdde

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a708160f961f1b9f01c2c8e4648c92fa

SHA1
9f4eecf280cc18d460395ded54dca9ac4e32e225

SHA256
379aece20fb88eee7fc47e2204f15115d85127c4fce200675a9db9073fcd30fa

SHA512
cf2c677e1de4d910ea34ad76df2058d0e9a99c13fe9e81ae30e43b12fb82efdd7440665e60549ef429e46911e90f5c3d265e947e3ab691e5df3019d48fb34fe2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
0c1f9510e3e9ab77070a94c6a01dd12f

SHA1
1b07139c03172385c9b94a00fd0dcda069b5fbeb

SHA256
52f6211b369f5617b2c7bc48163f29b3703bbfd0b38288203ed1bdd18c6428d5

SHA512
f2ef002800d658652f6e8e0f610ec2ff36da14e67bb63f9a23ad5d0e0f5ff1975d2e57f18c72a44ecc3631614acbc12576e7e69c3236658df3f78b1843086c58

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
49f5f2367dc48f9f54a4406b12df192a

SHA1
83b8bc0d1b561b30402595f43bc5481a11349996

SHA256
93e74cc4e91323118891d3d0593caca5d9d29948de23bac23089fe7bcb56e4b0

SHA512
1f0518ee945099a6bf8bd434662031f5139b24070cec84098c522148c0b007c545c32e17de4aee6bfa704526155b17ee05f93b6f06b37ef4051ac609788812de

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
85824e10971f16cd1355c03c1a4bcc90

SHA1
adf757d190e576f2c0c6a28b683ffc1d8bd16e6c

SHA256
34444d9472302fa8be086c52b209045fd0e806461eec073593969d637d16a86b

SHA512
3794f47babc15939baee4ced6ec5b289b92562e6f82cfd2b1b34ba8c6060dee78eb76a7ea526a214ca7555e6ef70d341a4069e491e67f7facd2ecd8fdc7301fb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
218a33b9d70f0dc7a0f6920576bde963

SHA1
6074fae5d45a562bd708adbd66f184ab96e7fc26

SHA256
15632457656707a7bc388aaa22421e28d779dd4c2f03f7a8e471c7f01594dd04

SHA512
bf22ecf73212003e20ebdbd21a16f3580a67d8420ab3be3b08c9812f13da952712a87e90dbb5bd282a27b41a8031b410e3ea6020decaab17cd159ab35aa6692d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f59144103096814fd99c29306153cd07

SHA1
a1c15732399e826e2f7daac29995318e02d4ab2e

SHA256
7f845b6c138c3855ab8093e538fbb467cba0f6748fb4b7eb3b7887fea0cb18b7

SHA512
10ae7959d88d01730e2c7f26cda265615d052d2cc53b8756ae96469fa57eee8a8102479f7461abdf50a3ba575be8645a2bf98f2a7fdaddc061b7386aaf25adbb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
42a8f5a4fbb2696825412b28bd9856f8

SHA1
4ca468e062149400feec98ad86071a814ab9fc38

SHA256
a33c2bc28b0baa4ec39ea44bdc7e4666e1f14ff5a6329001254c8d215bad5fe0

SHA512
6507aa15f02adfa638c40e44762f3249509b1a492701cf4df97f7e6b6076b83b237685f11c33987a4a7f0a272b18a989ec418dadf610dd082aa948408e00395b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ffe340a71a5ed03862b41608447ca798

SHA1
0a778d96f3a9d31137d095bb68ccabc787471753

SHA256
e95b46462134d5ad9ac6166d981155ea427bafb97156251fca638d39b1938332

SHA512
4d0adee0833477217b7aa5c19c81009dab448917bf753757714b9779fbec11aa1b7ab8693975a39531aab88a5b8846756222a1aacd3cbfaa31b1b06a1c7a62d6

Download Submit
memory/928-828-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/928-565-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1212-527-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1212-540-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1332-134-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/1332-525-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1332-142-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/1356-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1356-181-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1356-33-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1356-30-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1868-832-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1868-616-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1868-423-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1992-1-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1992-9-0x0000000002420000-0x0000000002487000-memory.dmp

Filesize
412KB

Download
memory/1992-158-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1992-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2304-497-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2304-767-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2380-397-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2380-570-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2384-74-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2384-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2384-111-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2384-82-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2384-80-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3068-838-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3068-617-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3124-793-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3124-510-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3492-564-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3492-269-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3696-422-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3696-45-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3696-51-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3696-53-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/3936-117-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3936-131-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3936-125-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/3936-127-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3936-123-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4368-89-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4368-97-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4368-466-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4368-95-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/4444-732-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4444-467-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4456-593-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4456-400-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4560-595-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4560-837-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/4720-108-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4720-496-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4720-102-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4720-110-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4728-685-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4728-443-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4904-812-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4904-553-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4912-159-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4912-551-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4916-833-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4916-581-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download