8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-10-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
Size

1.7MB
MD5

b23789f07797d2b6b62f4b8696545827
SHA1

b30a3ea49c90e8ac311387f6552a42e413e82bde
SHA256

8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835
SHA512

278766f8af2aa6bb333d0dbce40a7501878474c2a8e54e589954c3462b62ad8e6477207b0eb748a09c3de27a2022f3e8dc37f082bc5c843bb684031bcd1d68b5
SSDEEP

49152:kKxNupkTcKb4rSUfkVFjUf9Ckt7c20+9qNxUW:RfupkT5NUQOfEkKK90

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4908	alg.exe
2444	DiagnosticsHub.StandardCollector.Service.exe
2212	fxssvc.exe
3796	elevation_service.exe
4876	elevation_service.exe
3720	maintenanceservice.exe
1492	msdtc.exe
760	OSE.EXE
4568	PerceptionSimulationService.exe
2116	perfhost.exe
4588	locator.exe
2584	SensorDataService.exe
3360	snmptrap.exe
4012	spectrum.exe
3124	ssh-agent.exe
3272	TieringEngineService.exe
1220	AgentService.exe
4076	vds.exe
5072	vssvc.exe
3740	wbengine.exe
3568	WmiApSrv.exe
1328	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\System32\vds.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\abfc628bd1b02b8.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\locator.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000793f10941517db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3275a941517db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098c1b4941517db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef4097951517db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5ec7d941517db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d8d1e941517db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da70e4941517db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2540	javaws.exe
2540	javaws.exe
1080	jp2launcher.exe
1080	jp2launcher.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
Token: SeAuditPrivilege	2212	fxssvc.exe
Token: SeRestorePrivilege	3272	TieringEngineService.exe
Token: SeManageVolumePrivilege	3272	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1220	AgentService.exe
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe
Token: SeBackupPrivilege	3740	wbengine.exe
Token: SeRestorePrivilege	3740	wbengine.exe
Token: SeSecurityPrivilege	3740	wbengine.exe
Token: 33	1328	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1328	SearchIndexer.exe
Token: SeDebugPrivilege	2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
Token: SeDebugPrivilege	2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
Token: SeDebugPrivilege	2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
Token: SeDebugPrivilege	2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
Token: SeDebugPrivilege	2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
Token: SeDebugPrivilege	4908	alg.exe
Token: SeDebugPrivilege	4908	alg.exe
Token: SeDebugPrivilege	4908	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1080	jp2launcher.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2264 wrote to memory of 2540	2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe	83
PID 2264 wrote to memory of 2540	2264	8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe	83
PID 2540 wrote to memory of 1080	2540	javaws.exe	84
PID 2540 wrote to memory of 1080	2540	javaws.exe	84
PID 1328 wrote to memory of 612	1328	SearchIndexer.exe	110
PID 1328 wrote to memory of 612	1328	SearchIndexer.exe	110
PID 1328 wrote to memory of 1548	1328	SearchIndexer.exe	111
PID 1328 wrote to memory of 1548	1328	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe
"C:\Users\Admin\AppData\Local\Temp\8cc21d0df981473c5acd757aa7a89379591f48d3bd47c51f11bb6cdedd7d8835.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4864

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4876

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1492

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3360

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4012

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4512

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3568

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
25fbffc1a739c470697b5d48bc729f07

SHA1
d188703fd8bdc0ef8dcb9db6473915db74e7b714

SHA256
4ab2ec829f0444d3047f2885058b4553f6ae506c40c2178879fcba38f8a67fe2

SHA512
8b8c2a4db6b753825d801cfc0112b1f36b1666d0889621f7f0ced5b762d91cd2125f3113a404ba3839777cc586de9d109566b8ba6b90f41a541e3848fc373aa6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
58134ac9028b6ca6fd342b80291f0c5d

SHA1
bcbcdffeef7c444f93a0374be9391c4ede1fc98a

SHA256
cc0fe29ed526f57f264cacca1004675b61e23c1f496444578ec4b37afc53567d

SHA512
92caec63f503dd159906831829d9c1ffa61a59765cdbee3dc624af630f60fe4c7477ad400b92367f9070814cd252f10b119d22829789423c0ba33e45a8c23666

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
00558bef8a63876913132dac6025f8b0

SHA1
c45be8019403d3258aab9a91eb20f9b24355e210

SHA256
a8090561b3960cf9aabbf78d7491887bdfb734bd767e24f2306b7bb4c6db07b0

SHA512
13c74889a40bab1db08ca72ba4fc19c9f598fc6f1d24edc8f5aba06a5a4b9067a1a4f22bf6c5ea8cb938b64ec974dfc11eb662bccd8f1f90a3ddab6e42bc1d20

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
25306ae9ea2d27cdcc8fda07645f3730

SHA1
74662dd27656fdc60217bce9b7785c72135d58ee

SHA256
60d32988392fe6d748f550324180e2cde3ea6a65da31283cb19be0a116db1dfe

SHA512
36f623649d34f23fd260ab2d6618097863cfe8bb9ec5972b68f07369680df30674f09f6d844237dde7d3a5b25847ea33e4f245234426e1f84136965e0c7e73c0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e8e6ddbab41d9e47208d4f235acabe94

SHA1
cd6467eeb4e7e4d51b6a9fba290d3ab55803b7e1

SHA256
cd24c435ef92acf5587a75f9c53d4a84d4a55bd3ee57c35af76439868f15b997

SHA512
24473d805ce369224b8554df5dd360ceeaf688bc79dd0fc2212b37fbf3f4c7e6e2795679ccf9f1e8370ec040f50f5ea265f501fd49e4b1bbd0022d3e8fa47be0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8957a2f5dfbda02e829f5c619c3d2f9c

SHA1
81d56b71557dfe055d1677c34672a93db53e1e78

SHA256
a69c8bab6cddeb79c4a676cb7dc17e47144ff36628886ba5dbcf7e4b69bc5a86

SHA512
c267dfafafb4adc36d34f21279877b71bf3cf7844366a044a8c297a8d45a41bcfdc8d70d63c82ca2c3f7489c6dbb5851a162b757921a4fd58eda05c07c702d69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
db2fa94a7c0eea3acb2275971e531834

SHA1
2284a739a02242b43029320b09ee0926f92ac566

SHA256
34a6e0fa9ce5a2f00481dbe8ecbafa8bbafefb4d9d74fc266a2627df35af88ea

SHA512
13ad4e5046e148ba496c507ebc1d2f156d55b767aea6fef9842c4d45e0243549db89501354902c13fbe50b689260f8480ca076becf4aaea14a5d42f0ff81c264

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a9dbcc8439c89dae8719417485b84274

SHA1
edb469ace2e7ad47475f11b2ae2c3e6e6ba536eb

SHA256
c9af4e691cdaace64ca30c519efb18b32fdf131aebdaee7b2e1e1b09dc8025ae

SHA512
0a72afdfe6fe033ef17573d715b75e81e8146ba44b287a999c1fdfd1658bc8a872240d85765cff6cd17b5cc38964a17d6f21db5c16918afa28a0847b309a8b51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
76461af194295efa65da81d7ccb3b3be

SHA1
bd23ca26969b3beb0bb9899bb1d30903c2a330ec

SHA256
66acded48dad98f63a1eaf3315622af4fc8d7f0a5331185efa6ab81c044e3327

SHA512
18036e428de116d03cd4fa7e6ee8e636fe6b135a8559c99dbbdc3786d4e5c6572fe8380c1b170f8b4cd7a9026f34e08107c9abea40031d7259411452ee576328

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a5630740a377af3c1a7bb5a9c9ef5465

SHA1
8593bfd4257e604598d7be7ed8ca4246c4d52013

SHA256
5757e8907bcd8ced5c7bad4dacde00d0d31564896b9aee239c7714056a2b7261

SHA512
068cb8aa7baee2fdfed490bb6428f395eba20f39c4a8035f70fa23b3544a23f3bd8af0136bba646df41bb0e597736530ddc46c923f84eae3e02adcacf707a018

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cb60a71f0f384f011326820d496aa0d3

SHA1
0ca7eeab58888f8c189ed67d790b2a43e49d4f04

SHA256
b55d8b092422adb0db394bf998a89b199e643eb088c3c42e64082dea8170270d

SHA512
30056a3eacd1450bbf245ef25298c7d61d922b938ec0e4c9c7d2682398c7a67027be6ec13ef66f6f7d2c91e63d90c0adf289d42ad0527d6c2e789220d80dff45

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c20a9ce5cb9094b1c9457defd9804b83

SHA1
11e3f1d81b26a2801c6a548c6f8f4dd174e05bcf

SHA256
a0a2205154f97ba29a2d4f44a168098d572c15fdeb390698cec421fe14528f88

SHA512
15340a1e42e3fdbcf6fe24fefbc2a3121795527e3f2fea5734b2548d089947aefa77ddebd8a5b27eeeaec8ec7bf77c819a05901c7c7b016c1a0e3526925d8cdc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3b8a0a9b160d6016c3cb4970e1be0537

SHA1
1203d8b0de60b02bf7f0f44aeeeb4940d2766c1e

SHA256
d58f828cb08fbc917a782fac008ecce4ed06301bd955a3e707363fa11c8c6ebb

SHA512
355a6538f346ca83e0d44c54a6f6cf6f2011783227c0af13a911d67c80930eea7cdcd4597e89cf6479aa175ea4c2fb3509b75cf97ac2006ba4ae89bc63b261e1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
53f0e03ef8a5d737973a0fb96f2a04d5

SHA1
749faa5ecce082012a194155943298a9944aca48

SHA256
5e49ccf9b49c10bf6c4d1a7cb0f1c2c96204de081f9e4d06925aa79925fffd20

SHA512
8d5ffca7830514c47c5367313a60e08f290d51262447180b38b40143bc44c7a698ea18e4780890323c67b6aa70421ce27e206b67d8f9be5b310084a1a19797f7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
57c9de825116ec89bde09e4908f7b258

SHA1
02c99a2ee4b8fad8b9f40abfcca59fff43a10ab2

SHA256
f0e10e59d4eed0577b4f1cdab89fb57dc6bae4f6f8d303eab93b50828e0fbf4d

SHA512
86c27034e412f54e31164c90258ea71d50af025cffa3f45dc1aa0ba37c12957a7d4c1fb5a7c8125ce98ecf6b07391fb20c16bb88db71c599dbd51fe826970584

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
936562c5c1818e5590cb126576d25b08

SHA1
f204521023efcd0252bc4567342365bca8def8d0

SHA256
0fbb0b9d30671668ff71d23cc57ea104eb829db89fb3bf5cf4cab1d9707a0d6e

SHA512
d944ed82c4e77a8abdc2a74ff1f702b6af891e2db21694f274cd1ee42a782fc85da46005a2e2a3d846cff97ab0354c3c4ba163d6c2da963232474c84494b993b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5279e8e8987cdbe992ff2d6cf3183c2b

SHA1
074d35f23ca5bf6a8759bb2594a6b998ae11aeb4

SHA256
33d63f185441bc06e7b5c6b1a062f8b34e0cbd903fddc553675db5b8c7af3fc6

SHA512
f0a8da30ac5da998a6ca6914b2ded7a1c5ae78fc18b7649e29025d0f37ad4ea817c440a2feb703898708bfc519fb3a9d0cd7798382535f910cf8f97bf1a5d85a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
2c59a30d805532077da9210a32b132ad

SHA1
733b9e5ad43dd31ad955f119c0e75430a4f6309a

SHA256
3049a65ea92e880f31deb87d3b4ef9d09a48ae597223d73f746c1d132eb7d60e

SHA512
44d1f2a4a3eac1d11e3e0146080beffbd219223e4da14fafbccfdc349cf0bac982512ba9260804c1d8d91a73531dd34309b373b1d563faed3e9a366781c04aa5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c7c90d91bbd0f5ab8bc21d54f7eeb41d

SHA1
23ef6030492ffc1237b3eecfec8aa2eb95947009

SHA256
80b149495a46e123a1f754a509f50edb12e2c550de4729dc49dce5695af703e2

SHA512
30147a91a0906099c6a2dd4e8252554dc4dd437db7db01815657afe16f65a9f232e3ee1a8cc66693ea99c80ea521279d665835a8b32280c0044a37d96bc335ac

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
bd65b312c38ae2f701413c60e5002561

SHA1
c39a0b7f89b27396db8a2a96e124a59e52f16930

SHA256
e479c33d3f0a447e7bcf65e9c36b9295abb07c1543c6f45d464acce0b1bcd918

SHA512
cd5916d2cf171cfabb3e2dcfb18f808652aaa5f76a98f7166922a03559dd3d7ce53f50b2fc5821d95d3e188e6ff522b65cf68f5852af2f522e436bd57b7b75c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3dec6b3daafa05f45e6c4ab42ba8fd16

SHA1
75528fbd815ef2af70652ec22c29cdc951aa0bfb

SHA256
cf49fa3baba089f3d6148e5daf15629cc7fcf0cc393faec0597a63fec86687e3

SHA512
e6edf5fec61cc7e5c84457be2588f6003fe93b836db0b887b059ec88acd729fbd5e880967cbed295f6c5489fe993c15a350919361db85fb1f45bfa013507b4da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
4c273a174e6b5263cd3647e32f9bacdb

SHA1
b0acd4142b8297c24e039e4224229fbe89e7eb0f

SHA256
98586ad04a24a21ab8dac323c5c118de187a0259abec9498ef36b2027be70380

SHA512
ace2ff4d54959700c8488b97953568fd3b44e13a9645bf95a46bca9222487635be1323f8d92f7d12de925822f7618886e992c1170dfb42c697603beed5f465b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
aa39a7fe556aa20571a5f73648db8e34

SHA1
17d4f0e16b381ed726c26aa7ed315357c84c2390

SHA256
faa263468d2a99369307fa4b086337cb217560f2589e9134338015178a72879e

SHA512
74bc0fa9ffdbf9c8886ec3b99b9e003b40e82e70715f53f66de19ef4659c940b348ef9654134d31fcbf6e4eabc7f029bef06428a35f68cc65a5d10e1a287f022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
df0118f37e25cdbd71653200f594f44e

SHA1
235372fc0da7d33a7ddebf93504832e675970131

SHA256
33af56fd8d1bf1b6466b563fbd4590f5dfada866c51dc11310af328506494c10

SHA512
2fd0e4ccec57765d9e65af94b0110bcc13ff9d8a65c72b50951c6cc54f973041b55395465a5ac6f4bb5e5e6dc685f29f4c469d4283a7f3752e45dd2aefee968f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
96e88a7447b65e7bf006bf37941eb91b

SHA1
e82b259b35ce901139a7ae3b23ee77b108d3bc34

SHA256
72a6859acc69b420113a8f3adc7ef08fa9777c92d4dc4598d2f0f3d1f849d5e4

SHA512
76c67caf772052f8ff194298214c02fd2678d2fe2e37db883238b932d3c38e74daff031a04eb5adbdd9d2c2f770454c329bb9acdddb19352bb37ba19a672cdcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
375bf8ff6d626af7832f17440ef0f478

SHA1
5a8ebf743f322077c13921a629bcf5c35a4cf723

SHA256
fed81a366ee77770e8d99f115fbe68b3b4a8aadfafd0ae6f97e9fcbdbbc60014

SHA512
e4b9214fa27c0512dbc7b5457787dc6e5d11be067ed5fc8d2eaaaf2d45449c235ff664a405096773889d40eb32f5b16a8b045d1eccb47122d5258c69ab2b361b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4d31d30bd72aaca857d07d8f0bcc9d17

SHA1
8498ce9c4173471916627503fed6ea35a5ff8d49

SHA256
cee5760386dafefec2082219cd116126f65f2676bb711bb610c418c84f1b284c

SHA512
d77d0e29a1ee8f547070f8430f848db6328472215bf1af6c81b9366c1b2ac700dd7170e46f1a80177693ff618f2df9bf00ab729d2079c218451d9238c34d97e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c7fb34cb467384420ad43f56a9baec72

SHA1
2ac6989a17118bdc921131a8711a9d3e1dadf038

SHA256
ca54ebee1045a49a8e14d56c288630867a91f1be821f3f946eac9d1a2ad0641b

SHA512
73a0839040bdb1aa9277a1ab416487a5809409fc16a4aad3ce08db2e2f21be0e623da5f84a552b09ad83b2fa5c03a59ff4f479919364cab9ea713dd5355798e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
f021ffada449a4b9cc072b316936dc88

SHA1
47d7d30fef541798d24c9ea28a04e1e987963d43

SHA256
ac532f7be14077db2356d57af0c90f6c32c00334f25e5dcdfdcc4f1e25ecd407

SHA512
a86e2ab0fa72adab5312178ffba994e11609c1f9d385731a843532909ed7aaf6d203ae4f26c28e3a06b3fb3ca032baab982d69cf57300f6114bed6f2a22ea75f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6d1057eb094194eab9e9410c5a0796ad

SHA1
fc9d9bbbe2d4903a94eb4b507b99e06bdbaea9e0

SHA256
4e4f1eaa8526abec8df1bd40bd4997bffc06ff18f45f48b3119d2e74c46eaf18

SHA512
f254a1781861456dd0fd385f48a87b9ee82c565d09e60671dabc24ac63482d4692af84d797979fbf403c4b4c73c9c714be72aa5d62c96eabfdf40f6c8fbbde2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
830ae80332a7bae488245dca74e113a1

SHA1
db07db9eee71c9956dbe73b27a7362dd39503510

SHA256
a2d4530ea747a9e79c7836c10766abb645b4abd0486f7f2cc7d374d2b9f8a7ad

SHA512
1e58a9a91065eb279d3f7c5e53e19831118847a633ccd98594fa3c05e6c350bb7b9e5dada297fb39869e40b995b4d2c3308800986358eb3d94e7877174c24750

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
af060d47258c635f7e0d24defddb9ff6

SHA1
717c8889686eda8128a85fb84e3635d3a8bf025b

SHA256
bb278df6d14eef643967d72241fc6ac962ed13a2a2cbf261d2a1c9eeb1cdab1e

SHA512
a7702015f65a93f03f9b0b3376736a3ef00af31b6f293333c6e5c0beab4f695c44b4f86d09021d8ce1932fead284545181ac8054b8fb633d6d36f07c6cea38bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9fd65cc35b687dd18fd76af03643b9fa

SHA1
a3b0a9797cda83ccd6fc673326876cb885b33f40

SHA256
24df4eb86082d3ad0952b06373b9642df5ffe373c7363b56f66fb96d5bfc680d

SHA512
3f5413561d0d82b1639d1fc4416842bc2994bef2afd511895b959670b9236ccea2378ad507138af53f3888133c0e25e0619a749683c841003871ba4c17475503

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5d2084ea9dcd8e9354af9abea695b0d7

SHA1
fcd0ffec428365bd2579feebd2352028ccf741c7

SHA256
2e81b4de26e26a4d6103950c50f36ed326ee57be33f387ae69dc9d139ccf185d

SHA512
720c51311956e77b2c2d94c08152e0128d12d2c9917a3dba85b7a11abecfe6969d1dc1f289c2eef87398d71734c99559f42603e421b6e786a474e6c687e976f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5fe806cd1139c2663704bcf2c0146783

SHA1
746c3295cc599d0edc35fe5aa7eb82ff4696ecc3

SHA256
c2fac46158cdc1a94891d50ac7238cb6552195ddf56c42bcdae279a773b22f55

SHA512
a29bbbacd98000d0a00a45fc1a9243d9e383a887fcee843eb61eb84b28213da862a71e0c6ec7220fadf72e9452eb97a9f7f688cc7fc2209f81984b6cc4f4c564

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
beb936fe9041b5230f3a1bccb6c3828b

SHA1
7b8c4c9dcf0ca4915e15d912c11f59ff736a60c5

SHA256
dcc37962d156e426a478961aefaa686316410c33e8a53a2c4c39637e86e41026

SHA512
ba5878e06037653d5cf18059b3035ceeb2fb24a7d77a336097b73c9752697cb93fcd9c4fd538063dca69b856c084fd243d450bb276023f19a6114c48dfeea7ae

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
47a6d297b9ad6b00f2047e2dececdcd4

SHA1
d1b1438c4703cb7f084d12bc18f882eb1c4149c6

SHA256
28af9022264b0ce3d748f61ded6ecea3b88eb51b4041b72d7d3304e4309ea47a

SHA512
7d96ba0781e9470ccc9f7e62fa45a614dd6264183147c8b54b268f1d64941fbab73e875e33df2f36b3aac7c2491206b9b616c28da233f7568f48ca04bfdb5da2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
db3aa82c6889ff5e1849486e05037827

SHA1
6666b57caddd6f18f293a9abde0522fed90d3a18

SHA256
b37cc7aa66e5e2794247cf0e537d435f0dff803c7003f7dedbc1e5f8c7929c56

SHA512
ae609573fed710b03c7c3699945c0c68211d192a55cf8ce1b214acaf90f720ae81d013d46fb35d63a69ec489855cdc00d236575a3d207b93c4697e1f309cea5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
896B

MD5
ff93384e03a4efa627af297ad819d090

SHA1
078b4d69615b095ffe4424a5239dbf590ac13969

SHA256
5f9090da10414f928614c79aabcfb2ff3f4e0d7e696066e8a799762edf48348c

SHA512
60405bc6fb20a653c6dd8ede00777b037fac51971feccf5b1b9890a14553430c077f38edadfe5226a3f0f116c02fd3dae07bb3fe0a095e52350c63ba1183ccfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
00e5f72258e6c602e6841bbf4c30b136

SHA1
52dbdf9eada5d7b0e015fd3523cca5cb915c23c2

SHA256
905a454fcb15e9f2a469a9a7e6e42b8c6425d20b33a59be5b84818daae964807

SHA512
50f0f286680fd33c29956455ca7e2d293402f369bd2e9079e45930853f1feb6e86208e1c8762d26dfc6f7e742044e912a4efded9a55ddfddaa454297cedc60c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
e122511bcd7bfa4e98527b4cad966ac5

SHA1
59ab135b5a26f960eb3d3319e50e914cbf99550d

SHA256
70195ae1b8b37cdfd8008e672e587a999ff3bc1274c12617cc0aff70855913e9

SHA512
4774c0ffaf8a84f070d4400ee1765753d4b2c69a131e6bc345958adc1a823eb19d49318066952a23d2500273d109e07714768aed1f168d130cd1de7e04ed8214

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6e839d80876f193f6b170d7028c0e8be

SHA1
de4864b5fb838b738e5db56e07e4c6884f7e945f

SHA256
7f40ac1f459a73864ce26f7ca104adff4ecbe8a0043425a250720f3897db562e

SHA512
db1e7475c30ac0646fd33aac36beeb70aee8b0829070d1cb65dbf7a8f3f26defa645e4fa4bb0703570f146d956b4b213223f74ebd9d02d530660f57f4da758f7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fbfc36971706565c1b9adc4071ab7fa5

SHA1
92c11bdd74c9fa91b8e9c80a58d2dc0768dc32b9

SHA256
45796d1c48a18a13066e6822dfdb776b6e3bbde4504048692d800121564af2ea

SHA512
a0d2bb3320c103759dc8f4157e6413a5c1fceac4bfc207162f1a081ba6cb5a72033d4a1d96f141cbe9f059e5f23fb09c32ca21048acb8b41c49e33fe80087196

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
256e34f895f945c5e4d27448c98c4cbe

SHA1
05771e696d87b4c4e35a0f0089470cb883665d09

SHA256
0ab437c5edfd0955ae1dad2d6090e03279ee3e4e5e75d310d6bd04860b50dba0

SHA512
28f1647231fdad1d4997ca60628680fbcec349c73909ca327d91846488088df36cba22673cf335a32c2113163c8b66b8619b958b0d7dcebb324655873ad4ff97

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
192230618a2f3b89ada1fcc3a16224e3

SHA1
7ef5ba4dae7394e5c8238e9ce165829d447384f9

SHA256
77daaa7590b2c4dec8c419f82b8ab4b579c3a9269ae66d82b19224455229bdeb

SHA512
00d7ec97090fa9085efe57da11e331953bcb122631c36b85ce851dfb64e4d7b6ea1e1e16a1d207f3f4008ff366c7304ef4b6346f76e7cdce74323674aa6d6997

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cd28e25d45f31d7ad90863548490f19a

SHA1
7fd5ecdfaed8068686a3e79b60f36d003cc631b3

SHA256
9ab43a3d992d719f234cb0849ee06a8e78fcb480a5c10176aa396c7ab50e04b1

SHA512
4d577b1a50625153f5782f6cf120edb181d87e042def969720ac7dd66719e74917706cfc6caacf9a54da98893ef240f8732a7b823fc880164418d2296b7bb473

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ca49a5dc844697d98352f346e896df0a

SHA1
d77ad083951e483d722fdf5dd4f68fe7eedaa274

SHA256
70724b34f77a6cdca447e50e0fa9c73a6f3c0a7fb28354cd3716e7a0129f6230

SHA512
ae5bc0585c95e032a222d0cb2f233c8e0966f54faf07746d30afb33d9fcd463e95232a6e12dcc3c1b04c384808bdc32ae79d367710a5d5f4f13feb1b81ef2342

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4f5f8928e8235665b9b0a7046132332a

SHA1
f8946349967a6a777ce8648ed9254c6a9c92a01c

SHA256
c0070363303578705472ab98a2e951d10423500e7d958ccee33edea820905e37

SHA512
74e41935fdac151b6910097f9547a60824bed41236273cbe70d519ce600671dac66fbbc38140fef66ef4566c59b16a97f5a2ef8538e554c52b784187adc8b55e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e1b32c380f0c7f3d9cd1051351245b46

SHA1
da4ddd0adbfe99e345a030a8c87a32d58992371b

SHA256
10b3bc8ec6534f8f1e71b9db401f1fbdc23d5b3b9c4b9fbabe042441f16c2c00

SHA512
8e1b48330f36f3b4488beafe45d73696126b74caaebbc286ba029195cc53199fbe882b28a9a988129e777a90829bb07353f4c324224360a3353d1fcaf00e95a4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ca30502d4a792489336d1ff095aa8c8c

SHA1
756d0ac3215dcd73b690426a79684ffae502e336

SHA256
02497c94570a50627d93edb381abaae9a8c2e065c8c1a829b21c2475727ba2eb

SHA512
76599d102a895312862509712f162ea3a3c0baea53fa048064840eb39515442d68d13c87febd5662891d4994720d0bac5b48eb28e527d3e8cd25aef50dc73d71

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7aa094e46a3e9788552cf71570729f00

SHA1
61668559bce848d6f1cd4cc200f74a305218a87c

SHA256
2d45b8906ada7646faa3fd9b73d3bd59a9142421da728e25acf8d15df73d4b9c

SHA512
f7394804f90ee935240d04c853b745a33938b2150b82d693c4d979ed4b5ff8fd2205227bfd39ac1807c916aa4526ce57f03eac898dd1b32cfb436e0897d21d91

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
8f56d2e20b85c213e1555393ac867170

SHA1
2d02330c6c1f8445522410f40781bc114d75bff5

SHA256
74bf13541ac0cbda8a7d6707abbdd4d29d2721e8ab364a01c4793dd375d63ffc

SHA512
c996de1cfd7d0ffbc134535f6e51723d60c30c11c4a2a0d18a99aa0ae471b040f9292a926a0bb89d5c60b5e7e1e02a81907049ba57357c863fe613a965cde99a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6544c53478337be2ef835f541c1e291b

SHA1
ffb342d6e1e744d4023a3defbf93beda48210826

SHA256
82f84c72b7925421e0ed67d3cd1a2e99308cf273908f32f4e979c2d64d5676c3

SHA512
88bcbbf67f92e45f08a18a295b70ad3f4d1c62301316383366c5ec575d0cbe15c0383dc2194f83ca75eae6296b90ed68a22b9adc93c40b78e18e6f6c30153e81

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d10d667ac4791367f52e3c4ceb1253cd

SHA1
689745f0baa9e0bbdf745bfa779fcc4fcb0bd580

SHA256
addea67b69d1b6fe94a83ed6a8ea323195ca497846dfef6fb16f06b591d7a9c8

SHA512
36180189804fcba4bee2d282f1db9060ea7623f30e30fc6187ecdc6fa0f132984c70794a08111c04f741842f0a28ff0224bed7ec24b94b1741b5a332a6150c2a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f0b43fb5854326d29594afc7ae443727

SHA1
02092a3cfb5ba3ea3d557df210a64e9fd8745b47

SHA256
52475686dcb536f24a0cebd96ee2566faece1b18d71089d5abadf48ce8dc578b

SHA512
64d81520d549297ef6c3f84625e82d0dd0b760a21e57ad28495317ff466f7d58b055ef97a48b2ed9af4dc0b398c72b527ea85a9e33fc42262d6629aff288cc4e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
5ea2d611409912e7707db82d38e0e2dc

SHA1
d5a8e296f0ae142c07164c87355dc6ccf2cf65ae

SHA256
89295c5a7b776c3cf1d51122d53c527dd421f18025fa7c2148ad3bf59d85677f

SHA512
d302a56548f58a5247b3cd573421fd833f7391e8c30e88d5c23839c629504a6d5e78aeba165ebca5946b379b2ade867d9527382ae18575260a038a2c244b6bd3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6ca4df4927fa220df7e7dd950a01cb18

SHA1
02c2770fe85a82dc72aa59c2d7afec7864fe9bc5

SHA256
da55efb6d0e40747b32c633712cc07d039c0348fadbb3ff9c94b8972ece1bd3f

SHA512
b573eba7ed73e3cede2a2461087661d7311b1617c7e0f2bb93d61c34716943bd87ebb8bf28d9b737f9b71fbda1dcd5da3f5eb086737985f1a09278101743b5a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
da6df7424fb58c2dc33e7100d9a0ac32

SHA1
612af156bd622d696ab16a8bc8565ad066e28bd0

SHA256
2728c941fb814a05973beda722605acae7f0f29b94ce0288fcea94ef85cdff65

SHA512
4738c6d6bc7870f82bc6c53048bacdfdd5c169c4702b608c35ac3a91ac8581b914b4ea96209f3ed5c99c9b07bbf755873acf09e0dddaaeaa9c76e3e528b0c21c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1056c696e0b11d95ab7c3f99b7878261

SHA1
f1d99d2db668b6224f8877b781c665f9c7de15a2

SHA256
f5891ee26b1e4300b2fa3f4c413e9d7514f2d8ea5ac2ccf767db62dc32522c4e

SHA512
c70acc6e443e77fd49a96ea39475fae590ddb7809e110df95b38dd36b95d560ee4139c2de5668c6a41ec0fe906538b7c9784f0799d73ee83055407f50e9d5ecd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
24dc61b53f8df4699d378df369e87f7e

SHA1
d9142cc1b2f67b5b385b259fdd4276ec929a9ad6

SHA256
68c5198730f95cb200e74321cd681216a36bce02e446b400f0e61e42da713e80

SHA512
caf57b0a0578a7c6789fa44e5e6701fdbfd3488efc3cce8bf85c67e3b8f8c26166bfc8fa9f4c883a615ba2234e2300174866f38b6f9976a8734faf1435016389

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
91c0ce5604bfff755688c3446033bcd7

SHA1
1c27c80ee6639067da92cda420e52b156d740a67

SHA256
08581324f62756c2c652835ebde6b5849e75ff33f9079e1f217638b12a021fa2

SHA512
32cd659f13e535bccebece6f7ce69959f93d0a65de3b91237706caf8f9a38ced8b308a495a9f1468517ed54b758325619b8e188fe07e28d00bb332c378c6ca4c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
08001cc232896d0ea21c30fa976e2c1e

SHA1
abe1260a60c341243ad47c25fc0ba58c3ef40814

SHA256
e01d6cb0dbc9af0e33ef40b64f8916a3534ffa058f9c905e1bf255d20123d68a

SHA512
723de2564e8617c9ef94079c4c95c8e5ef07223fab8c97e191e091aebefc1ac525b9dc069924338300e51ba78b11b862384ea41fb5a261a2a9aa46406efd61f1

Download Submit
memory/760-509-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/760-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1220-508-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1220-502-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1328-581-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1328-959-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1492-130-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1492-501-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1492-136-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/1492-129-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2116-556-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2116-389-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2212-63-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2212-101-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2212-95-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2212-57-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2212-56-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2264-151-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/2264-1-0x0000000002490000-0x00000000024F7000-memory.dmp

Filesize
412KB

Download
memory/2264-9-0x0000000002490000-0x00000000024F7000-memory.dmp

Filesize
412KB

Download
memory/2444-47-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2444-39-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2444-45-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2584-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2584-906-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2584-422-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3124-467-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3124-812-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3272-489-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3272-833-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3360-654-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3360-435-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3568-565-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3568-956-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3720-140-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3720-116-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3720-117-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3720-123-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3740-557-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3740-907-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3796-73-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3796-446-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3796-79-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3796-90-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4012-796-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4012-447-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4076-510-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4076-838-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4568-285-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4568-536-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4588-564-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4588-403-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4876-466-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4876-109-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4876-103-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4876-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4908-388-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4908-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4908-33-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4908-24-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4908-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5072-537-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-871-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download