f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
Size

1.7MB
MD5

8287d3b7e74a57304d3fc5843193cbb8
SHA1

b11d2d0364325e8aa12bb8a115aed37307c5ae43
SHA256

f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88
SHA512

84321c587091ed3e8e5866cf7ff493b5d82e81aec3c1561e5be7912c759b519316a9ba4187b6c32e5c5f0a1a6f4e96a23b9dd9516630cea9f394fd930d72dfaf
SSDEEP

49152:yKxNupkTcKb4rSUfkVFjbaB0zj0yjoB2:7fupkT5NUQoB2Yyjl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3632	alg.exe
1360	DiagnosticsHub.StandardCollector.Service.exe
1740	fxssvc.exe
1892	elevation_service.exe
4796	elevation_service.exe
32	maintenanceservice.exe
4216	msdtc.exe
2360	OSE.EXE
4960	PerceptionSimulationService.exe
3120	perfhost.exe
2004	locator.exe
1940	SensorDataService.exe
3448	snmptrap.exe
1200	spectrum.exe
3612	ssh-agent.exe
3884	TieringEngineService.exe
4040	AgentService.exe
4720	vds.exe
3376	vssvc.exe
4828	wbengine.exe
1652	WmiApSrv.exe
4884	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\System32\vds.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ff721d45d1b02b8.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\java.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000298fd7135a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e0d33135a0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d66ef135a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070b9a0135a0adb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008af83e135a0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d66ef135a0adb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce624c145a0adb01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4088	javaws.exe
4088	javaws.exe
2288	jp2launcher.exe
2288	jp2launcher.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
Token: SeAuditPrivilege	1740	fxssvc.exe
Token: SeRestorePrivilege	3884	TieringEngineService.exe
Token: SeManageVolumePrivilege	3884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4040	AgentService.exe
Token: SeBackupPrivilege	3376	vssvc.exe
Token: SeRestorePrivilege	3376	vssvc.exe
Token: SeAuditPrivilege	3376	vssvc.exe
Token: SeBackupPrivilege	4828	wbengine.exe
Token: SeRestorePrivilege	4828	wbengine.exe
Token: SeSecurityPrivilege	4828	wbengine.exe
Token: 33	4884	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4884	SearchIndexer.exe
Token: SeDebugPrivilege	2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
Token: SeDebugPrivilege	2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
Token: SeDebugPrivilege	2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
Token: SeDebugPrivilege	2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
Token: SeDebugPrivilege	2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
Token: SeDebugPrivilege	3632	alg.exe
Token: SeDebugPrivilege	3632	alg.exe
Token: SeDebugPrivilege	3632	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2288	jp2launcher.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 4088	2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe	83
PID 2000 wrote to memory of 4088	2000	f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe	83
PID 4088 wrote to memory of 2288	4088	javaws.exe	85
PID 4088 wrote to memory of 2288	4088	javaws.exe	85
PID 4884 wrote to memory of 4444	4884	SearchIndexer.exe	112
PID 4884 wrote to memory of 4444	4884	SearchIndexer.exe	112
PID 4884 wrote to memory of 3724	4884	SearchIndexer.exe	113
PID 4884 wrote to memory of 3724	4884	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe
"C:\Users\Admin\AppData\Local\Temp\f96a1ae4e971d30614783829af0ad04cc79b4944989543e99ceecbf29159eb88.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4088
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4464

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4796

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:32

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4216

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2360

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3120

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1940

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3448

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1200

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3228

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3376

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4444
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 920 924 932 8192 928 904
  2⤵
  - Modifies data under HKEY_USERS
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
311cd1a79ca89f0f8791fa27fe6c08b0

SHA1
1530f09003f63c5e44b1ca408bdc649e88c5b537

SHA256
ad9809fef2ffa38e8b4e57828ee4cffc2dc1dcafeb8a01ecd79c7dc9c9e4ed62

SHA512
9eca4cf208af0e670db463ed3d82d7a0ef554a04e90b0e39dece3410dbfe309a783a9b1534c35362b8b490b5bb7f2a31be2bf62f5dcc631f744b18175048bd32

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
608210e562e4faa692888f35af8373a0

SHA1
4b510d36e290b9c0a97d2845536a2124fcd32078

SHA256
02b71ec4d0a0e94298b48e2997bc512e76ce13338258945f41fab5756f1a1c45

SHA512
4e717cb38835d33973756d9766524e4ae756edefdfe9f39430631e8e3997da1779bac35d2f6234d416b69bf1723855c3514f9c057792eabf38f6a9f8f062c8af

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0e09d52ee07c0f5e5309a3b3308cdea8

SHA1
a4ee09616276de7d88b703af360ba7f9cab5d4da

SHA256
5b23a736da22ed38c5346ddea48511556aefd5be47d68e3d8dd7246807f00feb

SHA512
ef0f5d869b25468ec8e002b631bdf4aa88fe083f8b26d8eac51c9747e2797091415409c1d7f6ec7d8fe0de930dab31cf1d6bb0efe8312788ebea2672ac4dcc14

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b47198193c2d06404676c21734b20104

SHA1
57e69e90a0cf96ea7309a42f4bfbf7691a6da079

SHA256
d12d491a6c5b5877c9975e41c30e8814dc68ba545a1ea9a9ed518e17e65ccd16

SHA512
35588ccfc060b3fcb3453816d967beb1462c7ec9cc681a49aa894b905d905f14091a33da27db0039ba3671231428258663208fc492bddf77dcf71cd2af65e7f6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8936a1311763644239355e9704e29b41

SHA1
30230a8b2bacbd8dca217befe9539403b6515905

SHA256
4111965abfaad6e8531884335b383744172fb191cef9aea5f4b3481671e0b8eb

SHA512
a09034d858da527faf19eb4021f30ca5c446b4b8291462f12042bb0886b64a7b947e4c94f1bf3dc72d388dfca225f892a52e798712ac09201a41ddc511201ee3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bd4f77158f3b10a04cc94dad138e0299

SHA1
820c2220a81d9b8401087a423c08232d35a0b784

SHA256
64cd82d0fc019a55b46dcb2a2919ea8dc6a8c29ac952b9145f00322bf820cb0e

SHA512
7982578f803f0dc53f9d8e573ef98b761577960180cdc816cdb06104dbb502a03e5e26275bfc0e138787902c4a895918b66ef672d67a81580b92e51283142c5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
3f4a2d36377ad6671d9296fea7435290

SHA1
41024496a1c4f7c29ff837503e8433acc489f3ab

SHA256
bc01d7d4953b164e42a74fc9c991f8a48640d8886e756d2a392f981b8522c2d9

SHA512
226cd372ec5a8addee905925df17c4f68a4aaac6e31e8ef385c68355edf5afd88be44d66fe76c97e88dfba6efb607fa6e951fac1780c0d6cb938a9c459dec5ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
905536db6b103d6f4ed44b67379a8319

SHA1
cd4b3c86b7e4ee92769ac3bccb875e791327b54f

SHA256
53ee70dec94b6f907e126a59edc3f5aa2ee7cc10053a35022962b196668a6d9a

SHA512
be7b8d88c5a7e538d9dc68d634f9bf0cdd08917424e56285f60197837b139aac864976d1219c1e6011554d2d398d9c1616e134646168b560a8151af1d35c4ed3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5cc660453ec4275f7a049166f081221e

SHA1
97736511559425c4bbc30b135ca033dc445c9278

SHA256
4e896eda365be2ea32f9fb620b58215a9240b994a84befa71eed24083b26c3ea

SHA512
721201c0bc8323cb075ad0dbb2b98f4d61bb74a5d75bf1708ca31d6c36270828871f90e770abb2767d7e5f3782d36ca742a5a43ebf9f4562ed77230d4e711da5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8d78f178136509d0288bd5737631ab95

SHA1
0e78fc8ca5cc1dda8856616882a8c3f24954e07b

SHA256
7b22691844b3943411b218e31c669bb03b858906d753ed32fa3c5a0057ea878d

SHA512
a72b2574fac5e9a62899f084d9416eb715b17c0968043b3e2221db0d465accab7af55c7abb10979ff420caedea59c7104883e48c03d4be2f69750d353840fdcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b4891f7d42f3e61387d029b75cd4cb7a

SHA1
b7364ef36e2905c552c35881b42630f0a03e46b6

SHA256
17ef62bb0baea6a255e69fd6447cd0962f72231d2d1bb38910430a8a483db4f1

SHA512
fedc901c8de3018fa85f04899d20936969338e595bebaff09cdb676faad63d188f55a82b6b992878d8315d92ad5d4b6792ef5db17a246003a053f35ad2a8334d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b6594ef6b1c9b158dd09807ffb7fa524

SHA1
16c9f2fa2475b444b098f145af12d3641062f62e

SHA256
4f6debaf43eac706cc790e9fb554c116b10d75cfc2086986db43f4ce84359b1a

SHA512
f50b5deb5a49476610021b3429e4321c8efecd4eee9c2827eea6be0202997a02d00027b99fa6ba3fdc279d09f2eaee055101b7cc7662010f308fe813f2dcdefc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
deddd7a82e28a7564f657059b4de145c

SHA1
640029a74e598aec627ddfb857052ef9139c6dad

SHA256
076cd8af79595cceec7f48d050ed0425d404a27fdb0227409dd7dedba250f0ef

SHA512
d6a5676f51a5db83bf9250bc581a50a048aa24bc2b9026f8868bd4307e49564c7626323f9d5e6abb8f1c6b16a3ea36c383d6dacce1bc5d10f93a5f5a3d020401

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
88ed7826e105ee525e79c442b7027020

SHA1
b3514264b0adda0c27965039be644519e3a46ebe

SHA256
554319a768887565a7d39b36a35360538b04201a0b33b482e1493b97d4079a90

SHA512
9043f9719c2b3fc3c13744f0caa7f0ae77e85389ea2ad290dbcc1e0e701347d677e6ac9d7302843eb3e275161bb826c91e91af57bd03c739a1923a888fbb030a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d0f44364b42d9d354138c42c733facab

SHA1
68c03acd0a464ff0607eac23d43b82379c66f4f6

SHA256
224557b9e914e78f4df019c29a58ea610f0f209253fe318c7120c1c14260e615

SHA512
b4e77cca9f1de752dcfff92960cb462f8fc9bd295f7806eaf4481308d0c574a7c19537f1d955fe8c78d908a13ad620963c173196ea50a3235c6bdfdbec0160a4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
d4dcf62492052e907ffd0ac492e60382

SHA1
b3adfc28d49cfa566432d26a9599c6e0317a169e

SHA256
e6dafaadf21e426d31ecccfb69a358adb862b2ffc1f913e7c0cbc850ef620038

SHA512
f6a3c3c2e93ed436f0cb55d3d3e105c636332541db13094ef9c404dff2f60ada865896e4bafcc1e5b1bcd37fb76cb186cc7ffc656b4fe8012d3deed92ada63b4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
59621cb8441509fd3560ad04239b8b15

SHA1
0448b6a0790bca89eab8c7a5516d55a0c3fa177c

SHA256
8732ff2c4b0919093957a50e1cfae21c8938fd524d3a28bdf7c9b99e64eba783

SHA512
7481038e289a8de3925e9107743f4aeb16807245b6fdb5de47ed680c7b54f9d87be5902691137776b80dd405ea5cdd0f7d868c313b4609bf4d60c301b480dad0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
ecf41937fa6fb54f81210375933de91c

SHA1
8826c2e3513f6dce74a28185be15ccfd69f97be0

SHA256
6eb0808a7ef4261573383829e4e5cc9c652829abe74b805cf9d3c1764ca6e295

SHA512
865050ac6151789e850c9f99285001c75a46ca1187c27cebbfa43627cc0f83955f11275e1c1b34359d3aea31dfeac945c28381b0a2b00838b0e007711326d0e2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ebb91d955acc7ae414064b27e1f3e66a

SHA1
4df49e13e3bc909319e42df1a6b2e5efe551d460

SHA256
391562b94fd7d633e6929a8a43338dd6f34857f050b5d964b45e8811834d0afd

SHA512
cf9d7cf50a459aa515df1f3b87c80c1c92dabed963f7c3cb453b454da9a820899a32886cb037724490fc66cf1f1e0ae741b1af56104f2f0302e3fb3a2531ca36

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
fff6f1c5a11249f572c89df210c8dd38

SHA1
946b7d587f10e7abb1f336650b1d92010c1934d3

SHA256
eb8365bf5ea3eed3ead9117e16a5103f5894e6e6c9b4c244352e336434ca7728

SHA512
55a1ae7ec9ba0e67e7c7b69f3467d4823db5e1338c06d9255269de4dc1178c8a16165703bc100e8a25f7cbd2df100163517ae6ffd7cc1f822d25721f887f65f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c9b437a928a346436179ca208fe629b7

SHA1
428627cd02e385e93a7ecb8ff7c4e4644bba9ae8

SHA256
3a88a503d2505873a1e52b3562e1cab597f498e06bae441ec9f00e9e54be42ab

SHA512
eeb2bbfa201ec31d14151d03b0b30c79cefad7af4fa8a5a184ef5af50b9b90ca8e15be7dc39056391dcd67630040d6ef6a3459e2e4a96457bd60c4bbe4305bd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9f78bbac79eb28690ec7b3c62cf6c741

SHA1
80fe154172ca9c23f6215323d4cae159352f6427

SHA256
99d0fcc247d8a09ce1a43b23e8c64f0b548873ffa819d544a9ab9c18053eeb66

SHA512
0d61cebfc8f3dcbe31e4f6aec3dff572921fc79c814ce802cacdf4466f868fb0f1bc67a2b91f84ae1134912d788e1444061577b4684159fbb018cc5d111d115e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
720ab3e8b20ba0bab5d30f9cb05ec36f

SHA1
04ac202d1fbb07ab6eaa1897dff433912b9ef743

SHA256
9a3675a6a0d1963c5ea49e7af1ee381596fa9702441cf9c813348419dda4740a

SHA512
a007864ccfdcb4829d95a5300779df6034b5dbff53c711edaf2f5ad8b1259b3d9c3032226bc9ae33f4ec6753c665400490f232e715e7d775de9dc07821471f79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e42164d5a33a82e3fbb653621e04e3e0

SHA1
3d7a4332ecf534b123b83c12f45604514fa6fa97

SHA256
90443302cb6669546729793782072bc84459ca38d79980ca029056a88f6ff332

SHA512
a2460e8daff9d4398f1533d2bcdbc105d5e39733b85814ef63274d7d1116c273c98a48d061ea940b4da3139367fd263ae283dbdce9a4d386fde35298df66dbc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c846692752d9af20382a7d9838d04dfe

SHA1
92f5cae84ba56fd88e3f0a336ca1780d5480096b

SHA256
d2070e2ab01817456658ae8628ae1c8a2e4ae35e412456aa06c877841f6b20e8

SHA512
9821686bda9c0ac79dfb9962361f87757b3dd1ca784ad28e279bd111847e0412ac4869fe7a558400c7cce7ba3e95ea732e0b75321a5609c514336528be78e5c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
dab293d63e4399462e99af3e2c26f81b

SHA1
0ae1d0bd9fb63ebbd33aa451d4e175b50fe965bd

SHA256
9cb9b30efffb65801b9c9fad2b7b931d37c7af95b2854f81f19ecf263958ad3e

SHA512
4b5d702c3b975690b81e7666d22a171cfbdd20773fbb5785f306c7c591fd36a2852d8cdfd8a6aa871a5464305aed9e4772d5e3186bbb1f7fd1fb5f2d7c23df16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d0809f411e2994efd026f2095926d6e0

SHA1
e90821bad32ab691117bcf03c2088da8c72a9acd

SHA256
cf9f965808ff9cbcb9aa98624c4a5bbe3d9f93312e6444c34fc2e17a1a703443

SHA512
67b29e3c93b8ad6c159e13e35b6ba6dd2bcf623e8476dc7f6871268375d201f99728fa98618cc5349d50a1d7cfc786983fae8d5219144ca3f894d66676f5b04e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
ef981df78b6620a9f7e3f0d5c8f7fd3a

SHA1
3ec8ffd8a9af0b28ceb8a01c20fda18219ff0c33

SHA256
a631d6c4d12fd8c2af9af49e27c945dc9ca1b3184db9086c8cf96d40a542efad

SHA512
124abac5c67b416bc3f52be49809ac9dc598a643b9c2ef75ee86231743e94fe323719e5e9c7d3d8040f1fcc9c214c77b210c5a2702c7533171a1d0fc8ee03595

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c6a766c375c698d52b0194809f930cbd

SHA1
9d72236293459c323b1e2b2174aac770ddba1303

SHA256
bc42a07d870c0a0bb93c05d60901a8c324b5915b90c75079d51a71b50a2a973c

SHA512
f2ca1771dc53965f24839c0db360d190f37f62d0f941f859fe25675aa3fa1db3e3a5ae66db006e57798da1a5e69a88a80b509bc5b2d2fa97586a36b9a8d40572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e4acd7829fd4d7dbbc917703f4d15316

SHA1
da15a38c78871a2f1099f4c262903dd2f5ecb1c9

SHA256
d04475585a76ad72e48ede5f47e727c07cfd6a3676072b1ea0ae705c8fad1713

SHA512
78e09f666d8222aa1c5bf8e6828413dcef173c3f7c3097a2fcb0ef2cfb09b7118157f240d474dbbc8d36fb0f89d3d3a9c2618147b223593c95696b4e4e9a9dde

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
b7224ccb16e99897dca97ec266ff207c

SHA1
02b80e18d455efc52e4789bf2af577b3e824b18d

SHA256
10a58b1e09619d849d857598a17849819e277d5d34b188278b249008196fe184

SHA512
e5342d3894eed06ee038ccc1f636aafb23789750b4d36bfd779f66f9a547ee7723d1d8503b9dd90d1855ccafe723d518242d406f4648a6611e52f6aeee2f1135

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e84757d0a5d7fe99202a1ba5ca4b586b

SHA1
d39a9adc93ae51bcf8ecda1d7164d661c3a4c338

SHA256
82e6bc5093331c731f9fc41622803b88490e5966e66f22c22135673b1d133a9b

SHA512
592839e8c20bce5812005b176a788d814f7c5506617f98aa0d66edd214f7d219df1c7834049fa0b2b6b2963b192ab5350aeeade07da2c8495d6c54334b913199

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3ae0b132cc92b488641a30182ef17d79

SHA1
8f0aa149d5ee57dae0adaba62ba96b03e2e7f710

SHA256
29cf88e5fe1762551882c471b1dc3c9fc0b4ec8f146efee5c281e60b3d45fa04

SHA512
9e9dfbc39ab027e0c0596b2ac92db4b15e2178dd5e900e4ec08dbf45359a82212d0b00469ecfc75703e62287d8a8eb748aa1b48241604c9093d0e22fc02a5ef5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
d4d469a60e82801e8630f75e45db37d1

SHA1
942da047d9e79cc559fc50ca3d85cf1ff18d54c0

SHA256
91f95bb929f6cc68b97b6535a1194428eac850b87c771c662fe092c15a3e18b9

SHA512
1231765a4cf6bbb8b132adbc94965f0c37383bd52a5f69ad006b3f81ad4437004f0406eaba85275d767efc69dd45746299b72f71f18b9ecc4d556a0cf352691b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
eeff4b690be67fa2d37eb455bbc2366e

SHA1
95d9d6cac9a7f1f09d7dd2551f017e4f86c34fe0

SHA256
59901f8cabc14e8142aaeea59713bbb79360dba5f84b40ac9d8eb825d8aed172

SHA512
5954c711c9bef373053fcca74dc2cac5c46ae0ac3528069c1007ebfc896f9541e5a5905f0ec0dcc8024e431159ff42ca8694fdf9d7644012ff4261104347edca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1a0bbf595fbc682d15098df7060d63eb

SHA1
2eba1efb786532cca677682cb2e15be9f0cce746

SHA256
d0052b69df5764e0cdc16c2747d1818916e3bb8ad45ffa979fd35557ac6d9598

SHA512
ce3e72f1790c0fe2bb1180133dbbe2f02587c2ecb9ceb56f7c4eacdcba83c3640d11a3316f233eadd19182da3962f62c4723d706cffc26210d18228a7c7be7dd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
416916feb210ea871fe1b5520f0dbd1b

SHA1
a7779c2976080d6c7355cccd97ea4643e5546681

SHA256
5b82d62a64d41a094bd9f1ce935d0f69dd8ead6ed92ccdcfcaecf09592986bde

SHA512
b70efaf8fbea16551ed34dcf94dc55f7b4fbba59450b31383fe85682e82478a8417965b1f8d439eb0e8f6cc91ba99fc0dbedc9552f5505eea39d7234510123b1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
732e0d81490cc79b9b470d8eec6ac0f1

SHA1
f4fa9cf0ec88d60d93943248c9fee743a30ec547

SHA256
77fe90a6cdde412ae3524ae8111791e8695c96a8c9ea11254417c03f5eaf8723

SHA512
b5d85a48e330b61408fa19f36a0e173122c48616c61f0b8c120bce0aaa40222e0039d658b043669c9893b9478f2a25fa71a1693855d31da32af5faac22f52688

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
896B

MD5
4ea10213af27557339f1cdcce5d92012

SHA1
7a9057afbf621bb918a1469555f73c4d8f4ada92

SHA256
088097fff2b4ee639674960f47fca6a31e581beb2bdd82a9ca453687b6224c63

SHA512
3fce6f17476d5c69d9ce63b10b8686b0b8d171cbc5a1c5d3a93395b12f0d8a52702067409b9dc750760d42193909b9fec89173c5187a8e700b63e506943631bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
00e5f72258e6c602e6841bbf4c30b136

SHA1
52dbdf9eada5d7b0e015fd3523cca5cb915c23c2

SHA256
905a454fcb15e9f2a469a9a7e6e42b8c6425d20b33a59be5b84818daae964807

SHA512
50f0f286680fd33c29956455ca7e2d293402f369bd2e9079e45930853f1feb6e86208e1c8762d26dfc6f7e742044e912a4efded9a55ddfddaa454297cedc60c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
f2e37dea4e7dfca53bd7275b712faff2

SHA1
3a8a41dc45ee6e2ff2d34198ed81cc6c50b690a6

SHA256
96042d99966b2ec571ceb464cc61f2310c68d8485c4cf80ca2c470fbf21cc35f

SHA512
bbb196e8df92501590aa22185ff5e4a1273594dc90f862a0898d9b7ec8abd3736c833cbde562e2934e50cd439dd4d39ef704d545c7a74932ff57c633c96efa17

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c4ad75644a0fce5d45c3f9fa21ff9076

SHA1
0fb2db7a39bd92efaf89854ee4f7b458ca25b69f

SHA256
d823ddea31135a393accafae6ca63a4501ebe34bdb1a94351beb5b7f8abc5350

SHA512
9b0ab36b0e0de6e3a1dc8e7887e6e76c8231863ae535cabe7ad3c9c53b828fa0656d2b8f619d6ff5bf82bc21864d8cbf193a9f9bbb3c69912a166d9c4e0e9aa1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
917026e10cba42945e4f3d03e979f019

SHA1
9fd6527d119bcfb746c693d58fd8536479b24517

SHA256
6d2eec2d7fdbdb88c22cf3a655430a4c4ebcf6866aa00ea06e3588470114d98f

SHA512
c55c741d3cd8e615a46b1efb518c507f0d3104f793df3be72db1b883a422324a948968c45b7947c82b614883c76cc77f756cf3dfde19e843199569bb23804788

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
60d6aecd6aecbb6365571e32af65d066

SHA1
4a8d532a1ac5a0d4b6fa6d2b16ddf216a5da04b4

SHA256
84dea1434ca61260c82a9f339f7d36946b74f55b7b7a9676c52c717283d63008

SHA512
75d886a8991670bc805586bfcb97f9bd892d20dac8592c169c8619a0d3f413ad0b8df7cd61c3ac7423a15c6a80f7e37839183fe1add619fa0b9933b75236a240

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8195b558a607dc8a53fcd3119a971113

SHA1
df04bf570f64256f6a9016e082feed9d49734a69

SHA256
3b008bd82392935e4210e287b582f3cda55c9c4c601a037c64daed1a81cf682c

SHA512
c7005d71a10b7e3417d6e863c154de84d7a5ac46f15d75f9b969efe574248318b7229bfbfb1b1eb26d050de4dbe91046fc14a51d3a78407b2d743f569eae7c5f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
9fe69a23f8d8f88ce3ce20fb45acbbaf

SHA1
13141ff2a459c3952858b806c3a3a48e61c5afb3

SHA256
29f9a6c84f52bc664315214d3f96e88a523751e56c99bbf3cda80e45d4c30067

SHA512
6b01611658cd03ec5dcc85c303265d5802cbdb2541f0c22947f01883fcf8afacd5907ed256524f504ab8077f58752218ab93039698aa5f3060f13da93c9af6f2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b771cc098daa0cd9775becee5080aa6d

SHA1
c5d9e211c778cd1543cc9fb6147840cd2d0098fc

SHA256
921e698a059ee2d71f38d4b9e073f4a0a4fa0f13da3477f58c9d86dbe8ab1de9

SHA512
0b1e01aa923e008b8a795bf62d3ebdc610f22e315322f08079b4c7e580451783469a80dcf9226f7f64e53ca7a6911875f7af23eaf4b139e050fbe174cc728b3d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
56b575b02438d8887cec87a6eb397c0c

SHA1
d2f60f5e0ec0a4b52f29bb6f1ae3f52407cbb2c2

SHA256
1279b7bc7faf74ac683536034241d8ff00613b3516d2d4c22dc749a0658c37ea

SHA512
babf1a355b7c573273a51aeb8f799b5e6750b8b1d43e9a53a5a14b48bee37691cfccf9d7f7687c5194d16ce9023067d9134ecad4595b0cdd700b807a860415dc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e84edc75237bb9f4ff528899b0629e86

SHA1
2968df39acd31e592467a5b74db345f5201306bc

SHA256
60aa6a7be50646eb63a853dfeae9ad5debb3d453102a0dc623a52ce59dba8fdf

SHA512
20dd4900d73bc1f58f3ec8c9f7f99e4abae9c9d73ba5b744e5eb5e770db60957dccb0727270692742544c6f8ffcddc6c11ffe1ae7e5f291f3493291654b811ef

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e9541fc42061281e566545110d954b60

SHA1
207ee0f9d53eb1fa936a5fbb967656a599f36483

SHA256
f27d66751a901cb369ab690e1ccc7310a6e164f3a5927823cf93a48e901955b0

SHA512
dba75aa174e5854440d52c3915d9c76b6f5947cd0ba63d402b8e18b234ff9be7c2181c88ace413bebef8a8970b43796d32269b32f79c7ce906fc0a05942daa67

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
582bdb6298e73a8ea51045f5ba44638e

SHA1
7c69860ea9d2ee368fce42c6987124d600973fcc

SHA256
9fb9ffad36ae891d70053293614e6680076213d0afd5e9e7525e8d03053b3fe1

SHA512
80081f108f8822ceef75f0784dd0fedbb232f583b76818d860c75bc61ffb35af14e696b23c9c5ec73b0d0de65d1616d464d9dab6e1326a7b073b92c1e2802368

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ce89181ecf6bad5fc547eb95326280a2

SHA1
c3f351725d8045fc970b1c6c5864c897a78ce5b8

SHA256
efd94a210d44355438224c50e9b9e3e58c668b9278ceef0353076d7dee38040c

SHA512
0c5363902af4860263a41928e79f96333b95b173f3684b9942e35ee447728667819ad00ef362c8e81d97ffb9b55c95e632e702b3a7247ae0e2dc249353c8e7c7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a2d9bcab9f8f2c825992582204dac306

SHA1
a7f438620c8f49a12fc1d774aeaab47822d6b790

SHA256
c4fb56e2b1cdca7b75d2270f363b529fa77eaa679f3812c36c326de304162dcd

SHA512
36ac5ba462b147908740e0eedd80d5c7336222e58a364d20b466dfd98cab6acbad3ad33a3acf7722f98617af8fdc6fc7c4c44b1a62f5502bd3c2353a5d557189

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9dc99dfb9b20b10a3a3d8e16cc835d0c

SHA1
fa6724ea4f49e1053b7fe02373d8608a30d2327b

SHA256
6a63edb0479d4afe59dd1cadcbf5f1197a4e643fcccff3385a786775285ca924

SHA512
5877521804c5b5ad69f0ab46fe4e04081326f7958afc998e061dc111e38d0d2ba21a8cf9a40adb323f03d2bfbd022b3e1c326556250e820589d6e09b305b24a7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4f254c6dcaf298c545aec0075dc9fbee

SHA1
f5bc5ddd41cb176b6b213545ee01ab910698f934

SHA256
2fe5bcec2d81808e0362701b64b82ae29d4f4a25ab8e0ef482b373196db97ba8

SHA512
ff4c9a924e9611e2126404cdefbd2d86c773cbd4d5962a6dc02e2fd0a8b2a02ae9148d1b2b8c3db027b4b2f1fc6d04991cc03f34f86f01c9109d320f247a21a1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
72beb927ba95a9d9aa9f637a26bfbd13

SHA1
c0cb740b3f74327da920a44ec5555ca479d75a1f

SHA256
35bfc9d539bfc3b18e0a95f07a496093ff7bee54dca72add19d955bc6e14d6d8

SHA512
44d1d755c3b441b4ed764d95022496903ef95206daf368cd93330a85209c4eb2f6148b34e1063a7d509a2b35c2232dd0cfcbcd998558b6dc3c184929e2ed2083

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
abe8c4e94201f20e5ceee8ffa22fe50f

SHA1
9266f0ef26a1a529ba7c28c07ec61ae8109debca

SHA256
9de0e16f39a6d6ddd579669a7b31886dc11896e3beda6e09fea8a8fa58536f48

SHA512
23df472a26f2791b39b396a3698a953eb9ddd75ead2a4d5f4974bf09d597ffba2fdc813caecc2040f064642a43d5e94efdaa87aaa390d75e50e38d25731d34b4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
95df62e89ced374b8db03b39524409e0

SHA1
6039738217dfd52ac65893a3e16ecea886f95ad0

SHA256
7ba1d8661d78bddf5051fb65864c285b581383d30470c8340a86dae919db5b92

SHA512
19d844a7867661ca6e3f627f029dcbfc4a70c8915c5e85e68d2ecc8319ec7871964a55687e624a7b92e0b903e828ef5a326e85d5c8412c947f33ffefee9bfc26

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9549968303008c3d2b057f65dfd931bc

SHA1
301f66074c770c458f1b4f313408b75b21420a10

SHA256
80ed5720274903c4d2892c6d3e7b02ae2e93896ad8faec4005e62207483f0666

SHA512
9377e6b132cfb95e65c5fe3c39c4ab784966ba96bcb092e16e51f50035edf600a2059f2cb62312019ff21e58ec8c002ae11f9330bfcf907175fe675daeaea6e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6d8cbd17327186efb479653d96a52f60

SHA1
fa60fc57105451228a599e53aa97a31027e95ed1

SHA256
f0cabf356fd9ad66fee915ec5c38457db626b28e041343e2866b9bd24df725d5

SHA512
69c4e3134e6885db1ddff4e62977cbd165e978a295ca67326b61b64a8831a3efb4a6f2aad46268aa63bd45fd097ed25487b2bcb76d262ada6229393dafdb85ac

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
bc42ffb628642c2c572edaff4b1f1cac

SHA1
8f943e3e6d40e520f5a3b3cc39c0755ce0f657b4

SHA256
8e16c190ddc79906d556e36d6618a3859a5386aa6ce1a3c1bb02f7182f47061b

SHA512
bb6449cb359994a883ef1abcf67070f097cccf7345a403a98ecc5518a405ef7be08afd02524eae5b2d275889907754d72e678ec961d26d9980ba8ccd6fe4b9bc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
6aa3379ef2b29547e9cd5ae38862873e

SHA1
d397b5ef9b683adf6877392b408ee00360a61dbf

SHA256
eab34acac3976577796e71076bb80f4cf211c3bc1cfa09a94283014463e05d54

SHA512
787885eb223395e950500c5da691ed054770ca5f6059ff4ac5ad154f97e8d3b550d6f1d6da8cf02f376f7540213a932aa7586e0f096be6f651b72f4632703061

Download Submit
memory/32-129-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/32-127-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/32-114-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/32-122-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/32-120-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1200-466-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1200-754-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1360-422-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1360-47-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/1360-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1360-39-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1652-912-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1652-604-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/1740-55-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1740-61-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1740-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1740-94-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1740-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1892-91-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1892-89-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1892-83-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1892-465-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1940-431-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1940-910-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1940-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2000-1-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2000-9-0x0000000002370000-0x00000000023D7000-memory.dmp

Filesize
412KB

Download
memory/2000-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2000-306-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2004-600-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2004-415-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2360-547-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2360-307-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3120-573-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3120-396-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3376-904-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3376-564-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3448-693-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3448-448-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3612-494-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3612-819-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/3632-23-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3632-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3632-393-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3632-31-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/3884-851-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3884-508-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4040-536-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4040-531-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4216-529-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4216-136-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/4216-134-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4720-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4720-870-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4796-491-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4796-106-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4796-100-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4796-99-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4828-911-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4828-575-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4884-913-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4884-629-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4960-373-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/4960-563-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download