86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Size

2.3MB
MD5

877207b1a7a274a9b8cf8a5c740452da
SHA1

541b376b22643dd93d51e365753aa0b2ddbc2c0d
SHA256

86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022
SHA512

32d27d6d9f1450b5d7fcf607b7b77c02bc6a7fa9d61521fff20ab22b69110dad8fd1078cc840a81c65af04857039b1e913aeed505cffc8cb4cbf40a84221b948
SSDEEP

49152:ToasIxf98AFB+ik9wzauGLOXT5XCC1ee30jaNf1TWbdz:jDH+BhuhD5yC1eU023W

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3504	alg.exe
4264	DiagnosticsHub.StandardCollector.Service.exe
2876	fxssvc.exe
1636	elevation_service.exe
4228	elevation_service.exe
3464	maintenanceservice.exe
4320	msdtc.exe
428	OSE.EXE
4920	PerceptionSimulationService.exe
2820	perfhost.exe
2324	locator.exe
3368	SensorDataService.exe
2804	snmptrap.exe
1056	spectrum.exe
1164	ssh-agent.exe
4060	TieringEngineService.exe
3432	AgentService.exe
3604	vds.exe
2756	vssvc.exe
780	wbengine.exe
2732	WmiApSrv.exe
552	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\46274e6965f51a6c.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\vssvc.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\System32\vds.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\AgentService.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\System32\msdtc.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\msiexec.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\spectrum.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\System32\alg.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\dllhost.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\locator.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011b6aaea481fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7f286ea481fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dfe34eb481fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000276218eb481fdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065029dec481fdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044b38eec481fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea9870eb481fdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Token: SeDebugPrivilege	2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Token: SeAuditPrivilege	2876	fxssvc.exe
Token: SeDebugPrivilege	2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Token: SeRestorePrivilege	4060	TieringEngineService.exe
Token: SeManageVolumePrivilege	4060	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3432	AgentService.exe
Token: SeBackupPrivilege	2756	vssvc.exe
Token: SeRestorePrivilege	2756	vssvc.exe
Token: SeAuditPrivilege	2756	vssvc.exe
Token: SeBackupPrivilege	780	wbengine.exe
Token: SeRestorePrivilege	780	wbengine.exe
Token: SeSecurityPrivilege	780	wbengine.exe
Token: 33	552	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	552	SearchIndexer.exe
Token: SeDebugPrivilege	2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Token: SeDebugPrivilege	2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Token: SeDebugPrivilege	2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Token: SeDebugPrivilege	2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Token: SeDebugPrivilege	2460	86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
Token: SeDebugPrivilege	3504	alg.exe
Token: SeDebugPrivilege	3504	alg.exe
Token: SeDebugPrivilege	3504	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 5052	552	SearchIndexer.exe	110
PID 552 wrote to memory of 5052	552	SearchIndexer.exe	110
PID 552 wrote to memory of 1284	552	SearchIndexer.exe	111
PID 552 wrote to memory of 1284	552	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe
"C:\Users\Admin\AppData\Local\Temp\86aaa1bf8a021143a138df26a4096bcaaed8a7e6d5dd9531a64db5e1cf1b0022.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4228

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:428

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4920

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3368

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1056

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4516

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2756

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5052
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ff2683307d5510bfd8649dfbc9eb5b13

SHA1
aea2faa4bef72506fa0e2c16601dc95eb9040f5f

SHA256
20c107289e21603cb3c3af1d4b30c48eeb6bc9387b927d6ab831e8346f6e2038

SHA512
a08a0e88a99c64dd31fe64fd62cb4d20075026edd72a7605c4fa512ff9446219e055656487c341ed2f266d872e9f009cd2d2e50a2dfe068ec956f19da7a0ca17

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0f9c8d672dbfc300730b8e15f264646f

SHA1
73d442086374b4d24dfe1218f3e4dd2d3209646c

SHA256
e0ae6d106964561de54d8dfb53972c0024340735610c55f304465150d4ebd7ac

SHA512
e7b05dc87379d3ace2e685dcb2ccf72e50a4804773571503de04448223cbf15ba5d3a564dbb049bc9ab0411483672a5ddfbda93ee44a9bd8bb363f0341e95fff

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3a0065f5830595790c950c48e4aefc37

SHA1
d2ef573ebc27e3dd5d8841a40ef957de82d6e93a

SHA256
98476e7d5157d2f69481ba6ac9fcfe042764fb4c3ad19ccff6fd7c3f70a50ef6

SHA512
5824cc35be7448114d362c6f652c6ff235a6d700cb61bd2e7cb6c128a3d7b3367d01567fcb0fb8d406a417bcb754a3303bed12e6aea68da6701bc8d53275a665

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2d0cc902a012fb2d3f472390ff050e5c

SHA1
b983493517a9d009e8d9aae7d396a9caf1ee0a90

SHA256
ad6636c89bbee6dc9832d4eef98df316e90f898261eae7907c62013bfde420f7

SHA512
ed7fb6b3e2cd1ef8ba8e022204647f424f2489ad0d1ebd989970fb2b774c38a4ffce1c1b89c50094868f392d1fb93f85ccae22850445074c5025a54b3206f92c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
14bc15f932c581334bff016229252c3a

SHA1
0259ab744496c12dd58ddb89347811adaf42f133

SHA256
b1e1d050cdd40c3a3ea02363408483672f2f268e22e2a6f19ba375a9fd4379c3

SHA512
2afc9e84923ab30d7ce6fd5a8c7d41128f9d071d494284223eeb5f824107e652f5f70263d960ae668dbc434ba75796af695222dae7fdd5d3d721b0b7c59a55d8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
9f71ed04fd78c244ae8ad17a2869d82d

SHA1
5450fb2651b80a0a7d976ad1660857413d06efce

SHA256
757b49fc833b7a79550ffc027eb1c22c5b3b5ab34378ef773f7a9331be732ad3

SHA512
e0263f54661918a3ecf060181e035fb57513a0c07c93ddf52f6f313c5cb09968fcaae3adb4190a72235849ae66580a02eb12ee42aaa08d74677c84cc45443a68

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d04fce0ecda8510c1b598ee0d2f6ab6f

SHA1
27afe1eeaf317f6a81c066c7ead241199b7ff99e

SHA256
aab01f3fddc8f5ad2b875888493fdf5e29ca0048049ea8714843b063ceadae36

SHA512
ac80579c058b38e0e18c3343c2f6af285789bd2aee0a2d6eff1b99eabeb1ee413390f7c95f469eaa44274e78918670eafca3e1e44d8bbbe4cc34c569f9bb8aa0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
467ec49b99a8c095980713f6879416c1

SHA1
d185f566613d239f989c5e0521e9e3a3921e415e

SHA256
d4ff21145596f09814c465ec429332ac6a67a99da0c9131d96d8c29cf3c3d954

SHA512
92015b364c1e073c2340b65c1e6dd50ee6806692be3512b22883e7b588fa56d72d77aa1826bafe0568099511fc7fdbc9ad45c4e3d14941542834cafeded53d00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
9cacf20edc295737f0e39e24c1608e2d

SHA1
59d78111733947bba18ed7a4149d160c53aa18f9

SHA256
a1b6782ff6eac7f47fb7cff8d7eacffa3fec876969ce1a271eb1d55739a1dae6

SHA512
333f9d3961f8445d2d2eed95a63ba4e9382bf9e93b5bbbaee7166fe5d4018f5b6ec721943632d9aec6bb899bb82a6d5142b73db979e19092c3c271bb90b289b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d49aa41dc5ddb9c4e955ce2f26baf6eb

SHA1
f63d263abe90edec47dd6454acd6e4f58cf67139

SHA256
9a4d841982e7904c496088af62c9ee0e44d0c639188567aba158e1e5e69c0c98

SHA512
1214c204de56b6506888b4c60c4592a1e4f89a972651d77671586cfea6fb4e88c4ab78f9023722827f4fdd6f91365a9dd0b501d9aa43204337cd0a9c5c6c8487

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7f763a53a684f7903bdb3228e4e510e4

SHA1
069086878fc34911027c9e4fb28e1ebb0044a5c4

SHA256
3e5894a821b7a035dc3280f5a4cc9051978fefcf91c6516f52ccf521c573723f

SHA512
07e3c65075409193b77412b3bbed08179d6ffd08138dac50b67a8f51391a92a568058f7282c6726bff51c4e37d909ff35e8a96bc663264ad6c9e936e8f9fc8ba

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b346d470732cdcf00809eaee2e17973c

SHA1
149c8b6398b91ab44a421b25a7d766feb0d05760

SHA256
6c3218f49998f2130d935b09e5e91187e2cce98047d3f8785a71e9b0cc3a6a84

SHA512
77f2e6accce10c8205ebb3c8c533f995e7072cc9c1c8d2a42f4f8be1b530594004fa4add89feacaaf41e6275a8f195e0594ee511a3edf924d9bb524cad5929de

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
650f0132967d3d9893f92c95e9194fcb

SHA1
77cde74d82b251c29d1e447d6e73039b334e3b21

SHA256
1e1d1aaa5564ba2cec49912d8426d5b06e30574f28a0e4ff8798293416b10a1f

SHA512
fa29ee6d05e5ab9c06624e82b79cfe0bbca12ccfbd644eb3499926ed96cd236a5cadb32c7cc546c4485f12a01f13e7eb425600b93add5a68db41159fa06bc688

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
a6eabfaa8f4b415ca0e48e35abfb2754

SHA1
9172ef2de698df760cb14cee4a686587803deeed

SHA256
73cb5a03a4824482a1c4cc554e5fea45318ca9ee085826c2692ce5a3367fe970

SHA512
925990ff608d256a80e904768c8e163b26ecbf571ad05a75a2fe4271f9039aa14404046a305be5406ae02ea9a17334781069d25ceacf351491ebaf24aebc9499

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
972f675df1a4b6cd0926e226c78e7858

SHA1
9191de2c4d363eefbfff1d932d97d33f9c395fa4

SHA256
dd070fe3a393464c12aa65e7e64267075995c56ede53547ddbf6578112f49eb3

SHA512
971042ac74bcc6437e9aca4bcf4a5cb3bda4ba97d8bf4e70db0d9c9b92f27dc6d4b6184276cd8cb86f30dd54d1ab0bdff852288d4f5d307210443edd6875817a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
b209ff44b9cf2f8088f649fe8ef7f7ef

SHA1
ddc4e73b993207c5edc5a77c5835f04b0a7b77a1

SHA256
3219cb15246ad894ade6482dc27f5031a6053738acc9037d10f70411c8e5fb3d

SHA512
f57cc0cb8f88125f9f5880033226cf0e5dfa74fa685e1f2b4c397750211fa896fe6341c85078e392825af7c756b89930464689a048a271ba18bf064db9f62553

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
04841d9d23fb0925854fbea700a4fba8

SHA1
da880614f167825f1696c774af82e9d91303413d

SHA256
94271ca8c4b57ffa66c30a173624d36e2cc0ca4d393230e9f7d889daea0e5ca3

SHA512
f9e254b4b11c4449cdf30c427e134205ce7daef51807e03a057185d1634b77b87f99d2ab5b1e5b80b1b7125cc47365f33401aa7339a47ba524ce9533e4ad53a7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a9cc25a57d1741658a609b8ed019567f

SHA1
e92128132dcfd52a51f5eb6a1d4a241152ef9477

SHA256
021dd83ee6090217a01dc73fea452abaa4eda422a479447918f349973da426e1

SHA512
02f52fda10b5f6c2844e6a20fa964b42cfc5a81b834de9579b07221cb2cc1b03bf3d35e07cfd99adab0639f1536bdb527bf3d9218333460f60e946dbefce467f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
2001e7e2e2ec6e60363aa0849f63be27

SHA1
850b6bf99932d61f377c6d898487f9f35243a280

SHA256
a2773222d07ac7b638c84845397471ce6b8249604a60091e6ec6691262e5c39e

SHA512
168ba0170f931e95b8608a2bad5fbdbf1578b7485af821877d65b265904e5af118b7f80285f59b4f34aad847d324017da641fe65da6d93391eea3b527826e0fd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7dab43958392702f7c1d1cbba05820eb

SHA1
00c85e8e47ba1ca930bf62b4e89e6c5ea290e122

SHA256
21fe58135bed0b32a5b65520a4c55693c536bbe35256f693081242ec1989c36b

SHA512
e4370b0907883875b2ea47930c314698f227b635793cf5ea334c36f7f7a2990a050d1355b53162c6f98c1e369159d6578067386270c4fc49bdc4fa4f937b7d2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c5811541da61049d364b63910065760e

SHA1
66959aedc74369b24883d7c4ae8ab3a0f478b3cb

SHA256
82dd2655225f3b40cfdce0851412152375a58fd5b773a69294ab20e3afb9d7bb

SHA512
f5bdac8b2da7c19cde70323957228a32d18a66d399bc5f06a0880817fd05d9be89ff8f20f0aac240bf98b7d33aed04e611ac4a6114a1df073bcab282551d6533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
44c4af48a1c0af4077b2d3082f33d8c0

SHA1
57fe0ad9d8d7ea155148ab0fe5862efdbfb9b2c6

SHA256
b4efdfa34f51b34e55ee8eeaf28005519096dda958bdce08543e1bb2c365284a

SHA512
b5b12d1acc6290a39d51033fbc743af9316ecd0adc073af02b100eb12d4f6591b2b633d573678eae15137f942faf4b92de2689294553f5537ad57469fc3f1316

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
afe74c31129029235776b26925e2bfeb

SHA1
c7aad107cadd18847b13837a3778ed7db9653500

SHA256
4581b3bfeac8c0a7bbbaf53a841d895b9e498324e18e41ba2f3e5a7cd5a8393d

SHA512
866506853c715ad12b0e7490455372d606aa784286adf334f5c813760587d893a67c08cc5f3a446d6796c1a3e8d496e3c88f818fa9b0b90dd42c7c3e00a28d45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
fe793df41f6fafe331fc6bf351b29aa3

SHA1
8b9cfeeac6935632bfe476299da943b1f8a78f8a

SHA256
64c40d21b68370c92d3574113f889ade4d46ad06f127074e2fa075f8a21a14b9

SHA512
1f4d5a69191626605b27e4ebb2548648a18dc4262c068e87ab14dc523520c16f875aef5b51cc60dedd6361b3c72db4a27ad10a07a806f0ec9a84514858682cce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7fe22c622837fd5e6e41bac4d3ac5d62

SHA1
b3b8ca5bda4bd8266495c38178185b7702fdaa2a

SHA256
7c73184885e9cd7bee9d6cd81af3f6326ff57b1879d0f7b8622156514dc31036

SHA512
95523217e40faa5f4d3b8b5766bbda3e3340906924691205cad5f23f0f6032f3141d032b08ff5a4a6fc91a006411f14ce3abaac3338bde825f7ec9452730e935

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
81f6b085408affc70adb9d14be26356d

SHA1
0e639856461ab2c9cc656a833a045d42cb5129e3

SHA256
f2e1ad738c01d2760674465c4a8386b498ad60c0fc8bf4a3638c672c25dcae5a

SHA512
9bc1ed1fd83bacf6c759f2fb22a5ba6d8c19a3d69a3983282816884757330a675e5da2e16efbb534f325edfe04f3b24f18dd6de6c972937950789bae49038372

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
63f6148e16918197df701148f6246d02

SHA1
870ff2146c5acecc86562b8e6148accee4bc50ac

SHA256
fa5ed5a607ad964fb6f681123b19e6080ab1ff31ace6371e6a590f2021663bf5

SHA512
99bb8a4c86b176507c7e2053e7ad7ced2f8b4941cc8e0e911bcaf985e42c665997a26ee6ef42f48f95008a4da6a6ac261512b8b2954662da23e01880be5a3439

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
18f739b3addf3cfcb83d2f01e8c2e9f1

SHA1
1baee502c2358dd4a26218c8b843fed1ccf2590f

SHA256
abe788cbf108d5c6bb65b8fe3d8de733db3a44b55c112490e7dbcbb67f7875bc

SHA512
6707c161aa473a0e703cd82c8c889a806abeb861cb4e7ea5012523e241672551d9b8be7c1e3c7959418c7c6d38607899f74e940d47920e4e5f04fa1f2fdbc22c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
12d73369054cecac122facaf23a41eb3

SHA1
b836c84ca0c43e044ae20c89500426df2300a89c

SHA256
564648272c161a8e8d3b92a7549bc50f7a8b16cca33ef60ede86a0ec464a8b59

SHA512
b53340394bd5fb773629489c320a0e37870cfae361bca8a865c688fe6f5258d40506e0c3b06ae802074f8f7df732df542bcf4d0538111025a851beb5f472e418

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
e31b76c5253976405de77be7ea8e7e25

SHA1
2e53c24f7a6ca12054e948a56a24eb7349d8e137

SHA256
93db43d52b3ab846b2503735abaeee1570a8ed3cb0dceb5e3ff04b642e1859b9

SHA512
c2f9422609391f53b1734676f130109c4f8d58ea54bc4a84044ca08bece26ba5b1a02e0aaf720be1ec4a39332357eb7fa039ed78d050a1f82fc8f75f298b06b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
743123d6ffb97f8060ea1ab82570368b

SHA1
1561b0c12abe0bda93793468cbcf103e5506ab9c

SHA256
5b39de586e7f50f1cc6b354b44eab6b8031e54960d240b2fea5cd61a0e5598dc

SHA512
8bf7fe65fd221a8764ffd3c6b439d1b60a6e13717b8d9b39778baf3e53a9c7f04eb93875fe45719447d756a48e12e1fcbfba604be063e25c3c00aa1c1e915080

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
bc344ae0624bbc7d472cb815ad7981f6

SHA1
b706f208e402a5d057528086ee445915eb119cbb

SHA256
d751687b0afee9dfdc7192a696a9befb774bdc1f19d40f9e7880e07630a85275

SHA512
5cda5dd6bb00f29d5d6c13fc0652caf23831b42cfdd1d03b13876fd9bac38c951ccfb348fb9dfd342cd7c51c4d7067c0f4735282292e3a3f40ee59e12a69d1e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
65f05d100a982b81e3a7cdc68fbfeb72

SHA1
24bb21977dc8172d648a1fc05f89bebea0738bfa

SHA256
9b83c948540e874fab350a649fee2ca9efdc1142b0805b96a3593789a82c5666

SHA512
32355e50fda7b49392143ad5fbe4104de3bd8812e00bc0664f184b118d52f6600c551f598aa69f3739032efa421164bfaca813981442d8d02f1dcf34ac42341b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
c9bd33a31691edc6e1c04883f2fc9d4a

SHA1
9acaf3ad5214b727a94fba7495b9f805c8a489f0

SHA256
7eae6cd106f5d82da4637d56bfdb6af489a57eca4dda5a25a31223df4673abf6

SHA512
b9cd399c37287117b76c734405b5be59604903b96372b0e6eca0d27611ed87d170724be5ce82247f7f5274be0ffb2180e532952797bf4457fc0d043b1e4dec8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
0f52fcfa4cc2e3a75a46f08df3efa601

SHA1
e7328fc74f9c624aacd40ddadfb1b61bf61c93b2

SHA256
21eccf6081e453e8d530bda122347764c7a0110bdb79922400e220291a4394c7

SHA512
a3917e759d3f291e858da66798de2ffa45cc8c96a2f3827d70af1497cd899c501ebb8a5c337ee680b32bfd27bb923b1596ea50766437303276c02574d70aec20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
23605a6bd7db478b037c9820b7750ec6

SHA1
595081473f41a597a921922d4aeef835d5705028

SHA256
8e9f40831738c97674d031d8f6036508263d093558072bb03b12d2a8fe527a90

SHA512
b85dfb088fe92261361ba889d89b6d30c3a8f11832de634a7171a1c0934bf721e97d35b4757acc3f54d20c2528f373695834b81fca7d2d25f7989e1eee565887

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c4168fe82e91e8ee77a05070f804745f

SHA1
9aaec251cbf7b25f8100d6b26b35a1ce48568584

SHA256
3586aa5141a01b5a7c6510008f13e493eae584f020675ab9b3fe709d0344d763

SHA512
f43ca5cf20b3f717e955eb183e7809ce1f37def0ed019a9f6b9fcb5ecb0ab0e1ca2558ae9cb67363fb018e28f85848f5adc78609b2231cba62ba9242cd346661

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d84caf1f826a6ee9ff7c954f6f46212f

SHA1
d5b8fb94128fef4f2c77d4c246355297c128070e

SHA256
5bf1ebd846e245b7c1e376550df42e9ba485a30539388369c495746c45a94667

SHA512
cd9ea2583c90df0c9159f7e4dafce64db534518343e152e5f1d7cd54edec0c683a8476dba3808b5bce8cc7ff0cad4a66dcd6f327227bd395ba0b9841e87e1188

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
20908f940abd05c7e0402e83c417784b

SHA1
312d521aa91719bcc65f2a5907ccd9329b856a25

SHA256
24b13c900060f6ad361cf12e93bb579ce47fe5b8007daf7f7aba950f20541276

SHA512
f152123699c5b41d99025fb55d8ad25f90cee34a82104219d30b52cfd40eab5efa587709b6a214dcafd8e4a087110629792e21c2c1164d7523180acd1497b0f8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2bae92dbd7d6819c5a9b6530ed1054d7

SHA1
fd2caf22bc25eca5beafefde1e48be6d39b1471e

SHA256
4fecb5063f80b7ec19d41125c1bd8cd0cabdab14d3a369fa1578fa81a9996dc4

SHA512
587eefc7870832dba20ac57fe874beedce7631d162e651c782e9b5995d626f7e47115a4ed733ed340f1f3fb94e20c1fc237a7ac1656b16835ee28f02dfc8f831

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
34f6a956242a2002faa76609515126d0

SHA1
7ab1e037ab0bf2ecb0b56ff97cd3e7afd8cedef0

SHA256
ad6668ac0622e0b92caced728bba92dc7343fd60a3b0f7814a1718310e0eced1

SHA512
6475b8dcdeb842f1bd8b47efc22fdfe438935aeeee860667173b436cd56516c20f13cd493804b7095e446d61421cb9f95d3515a659363f5596b0b540ccee54c8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5465e32811887708edb2fd230a381953

SHA1
1bdb17c17de2170899f60a443776e3d83254f8e2

SHA256
85e4f2efbc2bf99fd21bd22cb12ebe9a5066350a4fadad03d3b334f2d4d2ca3b

SHA512
69a6ec4ecf5ac65e34d8640e3723f432a7925024f3374e4ebeb210bab88b176c99c19f604c67a47a1931f8e2036d4cf26c275686217e75769355d423f51fa169

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
54d6a91c5ad5a13e2ee53b71c7403904

SHA1
9abb332ecf0f7955dc27d61bbee3357cfb54f801

SHA256
3b913f8b017a5c39972c7f4460024f4adf88eb1c39f7f5c21a57851b073a77c9

SHA512
0180802a1f8da8f0f93485daaaf8ee7e7f4a04a09059cb6e269b035dd6c6cc9b05528860b78315493ff8f1f07fd279e7abff039eb8f7105950f52d8a2e287092

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e78cdb7ddec0d455f8fe2e09efba76b2

SHA1
ae0791846243e79c8fdab013ac4ce61f0972ded7

SHA256
b305c45f16148bbe0c173cd53e7fafc4d95c64bb75787651d6016cac57d2225d

SHA512
5f4a9c3f94b59df36632ead87b6e111c87dfc185fe0588847e1767b583ae5b92ee5b6157bff8ff7c8ded359917951545eb40ca63d08d7382ead4246f3c5cb985

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5a9209676247d2eca844298e421de5cf

SHA1
e981aab19d48c07266224c7398547ce60c91f87d

SHA256
0a4dcb155b0e86e9ec6c53ab764ea7fa246b8c4614549036c0e1ec988f8cdb57

SHA512
171575bbf5626f19ba5b13e8a8aade651587f3a6f7bdaf65638970b74d7a868b2a67c8411b1bc3ce76247d6530c6d4f4fad3f6209c54a4d4100f42811c6ebf6d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d97508a9585d32a5c31ec19741543e8d

SHA1
7f0526be496e3107c106b0e561452a00c4a74303

SHA256
e02ddb719e68163592f982a777ac31148ff5aac0a538c4ec85efa5d09202d0f8

SHA512
e94b38c23d04128e5011fa44b1068c85757acb5b46092d0689f247971f6f05dc76f99ab351cce161dfff1129632c342640a9de0a82ea9ff0c3419ef0a1a16dd4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1470d6c8cec16100c021de4371c8f7ac

SHA1
85129bc71685a1424c0783ab8d69d6e619a5e777

SHA256
d9e00c2f5d6f5c5a5f983dd560774dc0a37820128d775fbb08a0b1a4332a6ca6

SHA512
f01c9d1b1a64bbad4ef28f354a8d1432b0e339d0f647b112f4c1ede97074d5bd43762aba873295ee3c9771312dbb9d068e60a9229e326c33aa1c6af848587c22

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a150adce4086cfa70a0169c10ce143d8

SHA1
2683bfda21b8b776f0ad50a8779dc7bb1ddffadf

SHA256
68aab46ab17e31a693163937a348cfd17725edf9376fa4bdcabedb5d930ff380

SHA512
cda4f47d9391376ad09df8e284c303e652ef558fba58bfd0f129a40f5ce50f17590f658a3732fe5547ea3e3c4752f31888fe986e8186b6cbb234bd982d79fde8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
10f216ad07a8c570da7df99726213bfa

SHA1
6995e626026e26ff39b0358a34e6c60154bab2ec

SHA256
05a57487f64c24228fd8c6bc35d858755668029475d17f3110bd0a69f80a9775

SHA512
f36f6c3d9fd8f4c14008d33a57ebbfb9cd99ec5e8fdf95d1cf5b29b3e0f1c8b67e16911067237c65a914a88451cf78be4a52a98d625f07e6fd430e14f729ee79

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c5c59289b582b372544dff35e10647f0

SHA1
1362691282addb317665e48c6654c09039ab1976

SHA256
dee8610fec39d09232d9242bd3a7078bf365d1394bd279c1220c6c138e967bd6

SHA512
ffafdc4b80d0b46c38d7cb38d2406a3d996161764983b928e109e8ff204606f009c14bc995124bf24af59bd758a4dea378a3f5c1d2c4f193f532f909402f5713

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b722353795fd78ff7f4e58d74a353c68

SHA1
084ad2c9f9b9b3d8c29cfd0894aeed86e4348e3e

SHA256
d61c0c845c8913e0059b553b04edfd8b7ad443207e2c98e3d25a0a9b7900102b

SHA512
387605bcca6af748ad2618fc391d055f2e01987313bd04da236f46d15d404e14a9512a578146ded3017898de9ec29e6da2b3b50a4051aed41bf85b88d871fec3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e63c13b39d4551f337765e9afcba8de7

SHA1
9fb2a5ab18da4b227aa4533099b4170d738f517b

SHA256
38563d787b4fa0082bbe1d900c2531d8696fd29f45d680fc54530653199fc164

SHA512
b87e71a318931547adbb9f3ff4555f77618650c6d7db9f27a1c55bc16660c7136f0f69430ea4ca9389cd318e0982732aef9428b4517dd0fdf90411cdbd2310fa

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
187803b5c481df31f1e77920623e70b4

SHA1
0427a79b6cda6072623f96228a80e4c4752fd570

SHA256
7c276fd6869ee60fd0425e9ba24cf7a364f79bf931ff6c067794052951c09913

SHA512
d3cdf1f3f5fdaeffe0259cb0180814689eddc03ab1e9699fc7dea2357954d2da9882cd9ef3bbf8e9f39ae50b9316d3e86b97db6cacf43c5a7f27b78f28dce7f7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
82c302abfc1f11524328ae830155a204

SHA1
a08f18a77eb114992050eadb78c43fcf067d0e98

SHA256
1c798af7ccdbb220a1fe890b5aa309490b57fb6f0a7ab53c4b8e63051b43a0ea

SHA512
8234f09d44be60591d283fcf22b044b6ad05fbb5cd237b1890f456c035779660d2e8c280454892bd91019d8c2c37af9981a2a5728b92ac564c9d956d55ea96fc

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
72db616e62d735cdd72d50e4bfd92fa2

SHA1
c424312f28280d14bf57c1044f78edbd6158c8ae

SHA256
b869e84e9a18d445fb89d1c61321e2b1efdf489fba8ce05ee7f9a4e187386575

SHA512
737bb6deda046ae8303bae7025d36e0de4fedc48e49814e31773679d328da84ee9d96378a0726c0b0f44482dddf749a4ef977ddec398ba436b294d5e49b96034

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
56b14ca19d3ebac2793b372c299fcd54

SHA1
d35e231a86bc578ac5d51ac64a796868fa958b22

SHA256
fdc451ce758a1e8d385f3892be103e5bfa46e73df43206d4c598cae246630894

SHA512
7e75dee30e7460fae5e6cf4e665d01a0e19f04cf4460b746da0594c9fe29f6d563f51441528cc8d0dfe560076a24561c80ea1d80c3d0d4ade5ac3e5b872cd64d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
faf4626543abea3f10ddfff2e18b2da4

SHA1
663881eaf0b9077ab6cab172088d88e79ac7ca67

SHA256
d0f368a9b3efbbbf26594007c544123293be7a94d3ca09038583de853deecdec

SHA512
633179eee7a3447dbffd95b761555dcce908d7c43543302058b477f81b8be9d4d99d1b7a7429997cc803026a10e9eacdc32881cc99ab027b339a9d4a2e54bd8e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
6091cbb150cba4d40bd4543f1c993beb

SHA1
f0cd1a593d3929b601f7cbb94c16e09592241623

SHA256
04d92b1c9a677d23d1192f9f87f0a879b86258cf5c790e78c0f61829d2aea7aa

SHA512
a50c24b2a259b846565b065ca0cec1865f49a9f7bcf1fc0e4ecbaacb8dde6da805ccdafb8cc8d82dccee11bc333426c23d877b1180903b300a9966becb422f64

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
38d21ecef3f7efad9bdd3f1ef060743f

SHA1
0dec98e8b9317eacf26773d39b4bbc32154de6c4

SHA256
e813cf1e5ccd7aeae64bfa5536fe85e5fad1813818d1f52766d08864deb1b91b

SHA512
6e1300789d3112c0fb327b0e2a3c93e9aeb44abe327a71fbb6e5f558155e3e06b0db37b71778119828bb94cc8051a498286888a044503d41324a38f9fb4a2b56

Download Submit
memory/428-230-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/428-120-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/552-293-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/552-613-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/780-563-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/780-270-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1056-393-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1056-192-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1164-206-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1164-464-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1636-54-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1636-62-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1636-60-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1636-205-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2324-151-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/2460-8-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2460-23-0x00007FFBC48C3000-0x00007FFBC48C5000-memory.dmp

Filesize
8KB

Download
memory/2460-38-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2460-28-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2460-78-0x000000001CEE0000-0x000000001CF18000-memory.dmp

Filesize
224KB

Download
memory/2460-40-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2460-181-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2460-9-0x0000000001F00000-0x0000000001F60000-memory.dmp

Filesize
384KB

Download
memory/2460-150-0x00007FFBC48C0000-0x00007FFBC5381000-memory.dmp

Filesize
10.8MB

Download
memory/2460-162-0x00007FFBC48C3000-0x00007FFBC48C5000-memory.dmp

Filesize
8KB

Download
memory/2460-24-0x0000000002B20000-0x0000000002B54000-memory.dmp

Filesize
208KB

Download
memory/2460-79-0x000000001CEB0000-0x000000001CEBE000-memory.dmp

Filesize
56KB

Download
memory/2460-118-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/2460-67-0x0000000002B60000-0x0000000002B68000-memory.dmp

Filesize
32KB

Download
memory/2460-0-0x0000000001F00000-0x0000000001F60000-memory.dmp

Filesize
384KB

Download
memory/2732-596-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2732-281-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2756-543-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2756-257-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2804-182-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2820-138-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2820-269-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2876-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2876-48-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2876-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2876-42-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2876-63-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3368-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3368-164-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3368-562-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3432-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3432-235-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3464-82-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3464-94-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3464-88-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/3464-96-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3504-21-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3504-132-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3504-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3504-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3604-494-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3604-246-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4060-489-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4060-218-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4228-76-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4228-217-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4228-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4228-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4264-36-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4264-30-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4264-51-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4320-98-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4320-121-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4920-133-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4920-256-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download