867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
Size

1.7MB
MD5

b6eb052c038db4c8a816585fb41d9e33
SHA1

de00e6381a9bd55e91627ffcd78991d168fab863
SHA256

867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193
SHA512

5f0c0fe833cf4a32a5003559ba7ce35483a61160f31c81f3e3b278bee4dba546a1777c7f4ca51b1f4a433885d93d89374a1bc1cfb55d70321ce72c9bf2b7c4b2
SSDEEP

24576:9Wd7S8NK3oYpkTcDvebZI7LrS/85RkVt7jESkQ/7Gb8NLEbeZ:9KxNupkTcKb4rSUfkVFj9kQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1160	alg.exe
4716	DiagnosticsHub.StandardCollector.Service.exe
672	fxssvc.exe
4260	elevation_service.exe
5076	elevation_service.exe
760	maintenanceservice.exe
3144	msdtc.exe
2120	OSE.EXE
448	PerceptionSimulationService.exe
1296	perfhost.exe
2564	locator.exe
1972	SensorDataService.exe
740	snmptrap.exe
2096	spectrum.exe
5040	ssh-agent.exe
812	TieringEngineService.exe
4000	AgentService.exe
3872	vds.exe
2140	vssvc.exe
1020	wbengine.exe
2776	WmiApSrv.exe
4660	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\System32\msdtc.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\msiexec.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\AgentService.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\vssvc.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\spectrum.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\wbengine.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\332ace1c94857919.bin	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80171\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040eb15a76d2bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c3681a76d2bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d0f5ba76d2bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000283c05a76d2bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fbda9a76d2bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008764cea66d2bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e18bd5a66d2bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d9783a76d2bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
440	javaws.exe
440	javaws.exe
2040	jp2launcher.exe
2040	jp2launcher.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
Token: SeAuditPrivilege	672	fxssvc.exe
Token: SeRestorePrivilege	812	TieringEngineService.exe
Token: SeManageVolumePrivilege	812	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4000	AgentService.exe
Token: SeBackupPrivilege	2140	vssvc.exe
Token: SeRestorePrivilege	2140	vssvc.exe
Token: SeAuditPrivilege	2140	vssvc.exe
Token: SeBackupPrivilege	1020	wbengine.exe
Token: SeRestorePrivilege	1020	wbengine.exe
Token: SeSecurityPrivilege	1020	wbengine.exe
Token: 33	4660	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4660	SearchIndexer.exe
Token: SeDebugPrivilege	4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
Token: SeDebugPrivilege	4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
Token: SeDebugPrivilege	4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
Token: SeDebugPrivilege	4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
Token: SeDebugPrivilege	4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
Token: SeDebugPrivilege	1160	alg.exe
Token: SeDebugPrivilege	1160	alg.exe
Token: SeDebugPrivilege	1160	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2040	jp2launcher.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 440	4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe	86
PID 4548 wrote to memory of 440	4548	867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe	86
PID 440 wrote to memory of 2040	440	javaws.exe	88
PID 440 wrote to memory of 2040	440	javaws.exe	88
PID 4660 wrote to memory of 1872	4660	SearchIndexer.exe	113
PID 4660 wrote to memory of 1872	4660	SearchIndexer.exe	113
PID 4660 wrote to memory of 440	4660	SearchIndexer.exe	114
PID 4660 wrote to memory of 440	4660	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe
"C:\Users\Admin\AppData\Local\Temp\867ea95d8c42fcd65be57378b9c6b64c0529a019e0968c2d5c87aed6505cf193.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:440
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2040

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1760

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:672

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3144

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1296

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1972

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:740

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4152

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3872

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2776

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1f662af8dcbeb7ea27da9af5b0591a79

SHA1
e32ae8d686128a976f9b64f2bc52752e2f32c457

SHA256
1579d9287fa60bfd45ad3b0404f2c04af0bd53914056c7915a60e2d5190e068d

SHA512
bf7119560603cc4d7768c57126b7ec97b8aec8a7f4620552eb89ecc51c534909c3628b3418c890df714aaca760d0a544f6eb58cc1648ff8bc585ddb0b2300a85

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
285ac8807172fccb1210a414d39099d2

SHA1
255996e95f95955f032e16b58ad3ec734fb4e80f

SHA256
59e6a4037905d6c84b19f5acd9766c6c4dccb789e180dbd06368b760a6d0a5cb

SHA512
4248f601f49eae3a3144bd3aa1551425eda758afee131d6458dc4946f6cbfa9e80d6a505171a7320338acf460a37c6edcde362c09f9ada31d8c13db0e627daef

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6487fb65499df53933a7e665a3514e36

SHA1
c56f47c4e2a2829dadd9f7c1d6fa1f453094152c

SHA256
a20ced69f82c8518fd6adf681044d1252005ac0bd5d746ac8c30009005c81fe4

SHA512
3be17e6808d6c08c165a8f116a44eb3dd26c8dfa5db0f4254245f3d62e600c3d049641be6dc1136a5bd575e645d06ab8d583997f672aa8fda4e74466e541df3c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
af6d45ce75a30eca759ac6fd3a47d05b

SHA1
dfd9663793645cc5f0b7209d2bd556a3459dcfaf

SHA256
d479c88a558d436df6e77293cb074175705adb1d77698b42133f4a545550b2e2

SHA512
6a9aeb1e03b1be7e702cf454630a5f6ec79efc847eaca29d2c959fa946f999aff065f196e4f61dc97a178ec2374e39de6e076fae5d8a7871cad6ba67e5c96bce

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a122410e533aadae97c315e5f18572c2

SHA1
64a632d0c0e57c954ea6a36046ae40b5782b8fcf

SHA256
63276ecd587d783866b1b7cc2900753c5f00b301a32e3c4e8a4ea5af7eef41cd

SHA512
b73f57c36b113169d96196c5ab8b217d448bd9fc0d732665ce5620390468452c9c1da7cb903731576cc9f806c717a24fd859a5613785160be433d63f491dd03c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
2aab222729784e89317385b16a530738

SHA1
e9b2720ea47470861c00a14c79a9f054778a6807

SHA256
2b249aaaad9faea85f92610b4d49cf4c17375a26167bcb8d7fe759d9ef64d758

SHA512
30e7c9fa4fbf275c2fa409b8ae8562926487aa5545cd78f81994721711da2d556e5ab8d49dfb07e4282cb2f0627024b3d1b424998fbdf570aa490993d6d86cf7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
e1d12721d6cd709d04463a7474e5b9a3

SHA1
c6a2c389b2dc7783697e31e1c1c3d927e5657077

SHA256
41825dee7fa9c6963730d531edae9c3b4cbfbf09cd559d4d558b7d32fb9de53a

SHA512
56c8095ecd94a2510fc6849392fd63be96313903a3f32e9278567a97410cf9874d079e22e538d67d06828a2cfcba4101b76eb5313f715a69a959575944066ae0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5ccf7e5373e1eccd1fbd0fba292c1249

SHA1
bed470701103c5572ca367a10c65624248c59494

SHA256
36243457fe1e27ca8d71b80a9b2aee9ef010e05f881b58846719defe57f3965c

SHA512
95fd0bf0b9ea761b567478fb558d8d2ee51362c405e45717b862a5292c3c67e25a39f85679cb2a96d42f22375423eea31fa95c6fd111a675953fb6e1b4532a32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2ff37bda7d02618c0680cc39c4b63b77

SHA1
8c85d3583b33b1615008907cb30c45f7e949d312

SHA256
70a2316686cbe4ed1e2f80b95f547acddfcfa8994b8704c5135b46bfe5983f7a

SHA512
f8a5ba5197ef2eff38767270b7267623b16fc3a259d84d4e0a9ad8890e297d411f37ee65a84c06ce970eb65d1228372907956e8d7bdfca762677bdcecd1cd59e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6c025a13565ce83bf12cb6fcc78652f7

SHA1
4d87827c1a092a36272be86df6f85b0f4151e394

SHA256
fd5a276cac4844dbe4f959423ac1dc48846cde6f8f096286292dd739f159e4c7

SHA512
a3968e8fa6a85593def86bd6bd66234862f8c0e1a450d6a15e409c48558715defd237670c904a7e215e1ce7aa9e22761124dfdb87365f2a63ef0a3fa311abcc4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6c83470e2477de0fcff39defd6bffa29

SHA1
4552bd0e1c0bc45af55c65422dc1f9a49f11f3cd

SHA256
544a9bce4d81a5b7e8a5b546ef82d895a1c349748afedaaefddc6e9f09c752ae

SHA512
87ae9dbdea7a666b48519aeafb3f97a601e52e2162b0388a8ec1d8fa983efde2860449d85b03c57095d0ce01419f79213b79da6062a1ac0ecc9957039411641e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
41a7ccbcb3d24620a48381df42de655c

SHA1
bb56286aefa5a9b2b0dd643f85e6e0f0dfa7c779

SHA256
e6d2c76d77d644efb81af07262cacc1f61415c882efb12b59c0b297254eea8ec

SHA512
02bfb159dddbdba4159288fe4ebc9897d5ee08e5537c2f4c072883c50b88d1c57b42350768e34b141e918d0d6c6af4079914e75a11244f82a23a73949de72163

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
fec5d09220ee628ac9136d170103aeb3

SHA1
6db920cc82ece5fd44183e5884af8f30fbb62ebf

SHA256
522933a353f3215a7ee9f16342f9f5dccb3b80dcf7bcf88c9a8a2b42040e3486

SHA512
323ed02aee3a974ea533589af800b5f2d6fc6458162b68d932de996b42fa3cec965f026c63c1cc1a25c7e64dc0f06929d80af4985da6423fd39289839168bd3d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
acb2d1bd2f43ba9f28108c767188b501

SHA1
410281f3d1870a89ce842a823750a9ec1544f5eb

SHA256
697c1dcd9fc4e9b062eacd758960eac2bf747e5467829c2f23c232dab9a48db7

SHA512
24af6d311f5783589fb3adf6b6ce0b89326be93b8b0c73bd0befbad55f3e339d28889beae10407ab1eab0416ed4bd5325dd14586f24d173156a9d7b3e4145bf0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3acf24ba961f0fe73327b9cabe3eeb88

SHA1
ebf2aeade971a456b1a9b4d91655f653e369605e

SHA256
2cb35af64185dcae1e4f3be4adedded5d9921395a172b577fe034814914f0abf

SHA512
45921adfa69bd0ef129670df8c34126e52ad6f964474e6f4e23912d577fa5c3f6ca11445fcd857f7e1f7362630f794b2091b85f8ffa9b0dc03ebcc79babfb7f4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
e5c057bdf2f8afad0dc52138b47e2d68

SHA1
13afbbda33ac9a7c2db00f33adbd895a49bd37f4

SHA256
cbe848ef3ef2a8e35bcad0c09b68cbe7618d239c564948cc41aa93c48cbe11c7

SHA512
b49156cf46ffd6ed463d08e6196987282d1f081a19ff6b2bbbe9d554e5c76a47a5eccdc98dd111f03887188209aa80625c465de745ab2a7086b979f563a9bff0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
da6f5d8a728a500abd3befe273fd3b87

SHA1
3220fb6d967a8d6437fa3539dfd5701d04fa4245

SHA256
2b8ba4a1c43e9de0500c5e2b96cfd1c50b11d13756da74df28c4cab2baa0aacc

SHA512
a62f7072d6c0e84d1314fb7467f551fab76176743320446b052fe51bb936b17ad644f6d7dfadaa9a090372b046673a144686734f62132712ccba13d6da490d25

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
9f13b09708221df8d59f915334e5c697

SHA1
e367b37ad855b4924ab50e9d1af5490fc51cec27

SHA256
eba1d41b70025c8fd468107b51d3ab8774caf5c2685234af63c8b2291a4fe60f

SHA512
6281f2c4ac36e0e921d42a7dd071bdb6fcab4795240d2c00634a7b8a5ca0cedca699ff05625a26922ff3518487951bc78a43cdbef308dcb391d944c2f51c96f8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
2dea01b0d5a3f5c11d20526750d3e934

SHA1
15a47622f9b50379694888d40b7e14de66a45986

SHA256
ecb70bb06f426efd5c6faccfba575a4af0c987f2c0a001d22cf4b344765122e0

SHA512
305462cd2e45c240e8c26d734dad805793dbda53421702806cd849e443e1f4ea95cdbf80a1ea62213a9d77d08f9214f3b9e20124bcd7b25e767c907498bb9537

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
9e9ed98bc080484b6f93e6d3e80b644b

SHA1
e80bcadf6cd669bb1e6870596ece48ecb09c01af

SHA256
ffc1f8d8bea6132ac5378a1188c1648891c45598e920c9d795fd02c7f2149332

SHA512
3cfe4aed3b938ff3761e910124ed5419773927216e04ffbebf97f87598dfcb500222df29d25c791df92674f859970292f4131b5a5d30784b442868a1603d20c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
049e67901730e1bb45c4a9ecf94f0dcb

SHA1
08eb6a3e572b3b0e4f9954b87cc2fa6bee7a2ef7

SHA256
f2d0296aa938ed757698f3be338f7a00ecb554e0fa4c03d42c17a237b2b23927

SHA512
5bf8de76feaea5d3b94e4446f460f833639e9978c64b3f04f5a904aaed691e1a2032c3beaa27c13e9dbb5af903fcb05c28b748e00dc92c205186e991a79ca4c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0c22bfd48e67d6f4747b09962a7fcaa0

SHA1
aa58f1d3f048480a8542982d7de3ccf7c7b4c7de

SHA256
13b2524d591149b375a6f73c3dca956a7f2e93d4a7445d6b877b1a439f7dd1bd

SHA512
f26a6dc73a4feee8e70bff51f058fa1ca3ba57e73238de72b3f10d25ae30f9bdfe9cb0fb6aafbeb724ba4ebd8d9d0774b3d342e270487e437099a43b8c189d4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
441749ff1ea5f2d6af3833c84cde09ed

SHA1
6966fa615573ba6a7fbbc410205d4e3c167e8ef2

SHA256
0c1426791982fd474c719677824cef84736cf57351c3ad9265aae51592d028cf

SHA512
2515e0a12e6a560521f7ebfb22a5aae5e5004e97c68748c30d77956547ae68d8477cb14e361c0fbc3a83ac197038f50fc9e71e173d53e846e216d3e9243fd0c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
59f19dbe9ce2d01b771088690f5a4c34

SHA1
d33d3a6fa3d106f7b518a63f7b3173deddc7b9c8

SHA256
fe1920394bc49bb3cba337437c43fd0e24701cbba161362abec9a94263cdfc42

SHA512
f547fd5d2530b3eb10890c52752e701e98e8f75f0ecc6501fd4d0ed6d946319cb8b1c498f18483fea72f598373462a98d86c7f78ed90d46e4a037b88d0c93ead

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c26ff997ab8b98cf4aba3ea9ca9609ab

SHA1
0d182fe6500304c12e22705d97660aef883df1f5

SHA256
08848df622a1bc7869901a05d88d46d360a018b27e5128dfe25e0626ecbc8778

SHA512
ba7b7fe3eeac2ccd3ffb171b9b375d366912702ccd2f4ded54047528a072a6bc9bd9f53fe0c9b0cfa5f8e35b5f759e46c6a1bfab30956c2fd3ad8dffa91dd935

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f2220ec954709efec6a678304f0f89ac

SHA1
60ef5460e2dc87034a35e7e45a9f17e99d0ac2c9

SHA256
26160e1a7dad007757ef73f2c8b7ab485047a1546eb274ae90414e6125cfe13b

SHA512
3c37aa7c36ba35ed900fe9fede1f20a18d4a710894252b56ee9706c13c59abd465e8d348e0f2406f975d1cf57e02868d57f20add032129e217cf73db82d534ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
cb6cd6820254be7a1754bd40e5ab3ea8

SHA1
85c33f8fb225cf5ed4f0ca0b4f44e8c53f5e728f

SHA256
bb48e901c5c858b836c71e2d39b7c6faae2c21f11773a99700b67533091a952f

SHA512
93df2e913c3e8a1fbbd991b4c51733427bfa520a1c9c134ed72a8dcbf76677016b54fd7a93e7f7fd4b2ac9821ab43911d6baae46f20a5cc4ed501e8fc67aecfe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
44ff9b05d30a4990149f0ce6dbcf6f29

SHA1
fcd5c9406e7b2e841312c4ef6c072500e3fff857

SHA256
cb607968441d2c96661e5123edaffee7eba2144ed4a9c91d7de30cdabb3278cf

SHA512
d43e44945fba227895bbde2b12eafea908debe33f2ddcddd04f733de5dcdde7000dbf04c488d31fe4e93e04f10256be0cf3a4d798d9fdd21ed0599cefc925482

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
dcfa77ea561759065d7f829bbae19a38

SHA1
50efb699006e82dbb158c51aa60922b2fbceba72

SHA256
624856304199a8f5f86a32ac9907b9f8e2eb1e3949ba029f053076183269c180

SHA512
effd7f585da44fe0ed1419f3ae646e64ad7fff1f5c3f347319aa637f550ffceb03d965ffd854281f0f5fa55b2b4ee44aff3bfd7b2fa268aa23a495306f0606c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a0e767dba67c18c5fc0773bbd2dc2071

SHA1
be859844706e47ff04fcb4f78b72e61bb7dbd536

SHA256
ba56e184ef579fec4e53acb39c969410b68778bbe5c1f0d96df689417309e19f

SHA512
306f475a9cd17a4d82cc9e87b6338d34f296fc68ce7fc570b7ff5e93e397b37b98aab3cb1df609e5b5bc8e7f08fd2bcd314d5f5c889923806316d39ed02bcba1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f0d063a62a4370eb170ee3f74c1a94a2

SHA1
bdc6b30a83879e2bd0e33d91fd309d283299cb34

SHA256
9182954e05302ec22f0df5735d8da4e49afa78474a69502ef8720fe8e4938c3d

SHA512
23d40b7bac2c239212084ae50bc12b93d7046d754bba2dc32738c85ab10db1e41f99cf9a9c358efdfd9964e61f720102d228dd7853b5d0cc3fdfb2fc997d0b63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
16a1642afa5cf92ab4d952a4ce556249

SHA1
be7130409bf07b676642bcc8bb82630a26f13a08

SHA256
0bac6faa1a1122fa9da3c8fc03ea33b9c13b1ecb2dc43ee4afebea67067de7b9

SHA512
59ce7756d58084bf868ff310c346b5a4ea12f3e63c3cfe3a9694c81bf4c9049c67fd4656b43a79da0bcce1b3399f9c06be072f407fce9b36a29ec0c61cc45e3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0a66f74518ca16ba6b4171226a72a6a4

SHA1
3563d8a6ec6594fcdd5f1e477b99faf9f85513eb

SHA256
4844977bc67a5cd9f48d985121beb517db026f2258bda259515b91da4323c591

SHA512
2e8825d23cc97aa6414cf8d176393b20952f9df401c0aff4c6e9cc226fb76214004234a1f698c4159dcefa7cde6107d12de30e556a2a880fda653e18169b118d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
94b5dec5627bf70acb9855ec8cd4fdf9

SHA1
753f2669537c803a96cc4cd0389f3f1493c15e25

SHA256
fa79c54e8f11dd582cd34fa4f8836a5a00540d67d9eacd9b5753fc4bf3abb189

SHA512
bc2d54907a8836578c618ac067fa51b06898660987f30d2073a23b498e51fe66aca6239642c433ff4b297f7bc9f926930fa2f4fb26a2db221b08dbf8af1e3ec6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
904d81189057dd2c2294e32e481495ed

SHA1
b13887ef9803ccd6b47ab15ef45986112d74aa79

SHA256
2af96da20697d0a6f567fd0d4a2fb36216029d0afc3acdc377c2b2c2e679b70c

SHA512
b1cba3a41aead5e8c22434e6ec7519609f9da46076e13e87b7ee283ce10dd38d0acef7a5add2f5f47d706a288228893a35312e5d7f5776e59f883208c7f23f20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e31b83875e6cf886c873e878bd54a01c

SHA1
6e85ebe45ff060a08e262da9bf17a9f7509bb806

SHA256
3bc83d1609fc92110d545675c65773efe05aa4d902cf165166e894300add26bc

SHA512
15578fe37189888504b2e1e2eb8c2f3f2d60256e3979c35ab79e379f12367a9c6a1edd969528d8c1304cf9e6019dced743f21daa5df583d041af1fd6d80b5f82

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f67be2a0415d11bbdcce7e69db83c3ea

SHA1
add81204b55e562459b6cf4cff6dfa35f43cbd3d

SHA256
d07e7782d707da51613df5bfc97712ba2ca25b65470f483e6baac6e14a780f96

SHA512
bae0b047923661a10f5731884344ccc4db229829a4247f312abffd25076338ef4a9c211543c7010af721912fe49a6b4193b36fa502814b8187b0f49c09fedb47

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
491dd9c9a4f10ecc0fb603a3d45b4a52

SHA1
84164e4f7379c58d6febb98032382643939c6d95

SHA256
f1cc4f11806c1b901cd4cd31e0385cb73334cea38268dac7cbe4bf2f5829cef6

SHA512
af8c1422279cdb172b99520daa3eade174b6e8732dec6f49d500658188b20379e7edfcae76f0fa69b74eb8a56e7f925262c7c05f2e71ce3d46b65033bc406492

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
896B

MD5
42473d85b6663525e402bbe7a3ddbaf0

SHA1
67114b3102297aca5ca4f87ccf4fbae1d11c3a99

SHA256
92f2b44e921d4fc33d0c522f13684654b96cff275e4f2d483db961c56cc5f82a

SHA512
fa16566ba5ff1c23d3edc8a5a86294eefd75f69f204e42aef9bb94752eb54be9ee3a0f4968ff0baca7f179a667f4431d010dea38fb22639a573a3d958fc99173

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
a66e19c05f3e0b24ac077a37c2b7589e

SHA1
8b9ad1517985c48c0bd11670fabd3648bac9d1ff

SHA256
9771364d53fa9b1bd14cef7e48be1f5df23b11aac9f5cb6763a4934b3190e126

SHA512
0876a0072ac19f03818a2e5d77cec638470a09e40cd3794d901f1625c3f701f7b37a5cc6e23057a53e62d6e936f5c90bdd4a2c811c64dcfaa20dca5fdf63565f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
3bcc3afbd22beab1b478fa4594df21af

SHA1
65a04997b7f69502f76d35840789dd0dacb80409

SHA256
59f9f454382acaf537d1927838cc2550c08b9de895f433dfd16a560b9ca4d8b0

SHA512
a290da502e4d8b990244b4d2d14db4e67e9fd4dbe76b4f5357436672f10d90020c4112754b6e1e03501351ed8d9e2f73db401c1c59da0582b88c7c31b763206e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6bb006df61972d464cebb4f1e8209577

SHA1
c0c46bedfa45192d3ca87e5af5093e209e7a1027

SHA256
459100af17eac9bda32919b7b07b7057f4ade8b79fcfb9b7fc7c7d916c9b7b21

SHA512
c2280943a64c2dce5ef8ac84a5f102c41f202ee2a4e046ca1533c440a76901a202ffd9f397a6884eea3a44fdf995b61ff3e565b9b22ae33190c4dc3a988672e2

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2aa7f5ab7f0a806438332d027813c512

SHA1
0f8a135cca2458e04471700e50b6cdb9f7a6e5c0

SHA256
e4b0d8c71d53ce473cfa61774f718edb6b47ce1a66b0f4011334dea871a806c8

SHA512
dcd2e7fe116a5e3fd072dc9d7096e06b5485ea0d15b2c2144a8a67a6c79da1e07eb8321313817da6d1d80b4691cd24b4ba84ad22b6226820b2114c09ca453a32

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
a82cfda5f9f9a43d4b4acc620d583961

SHA1
f96650e36acbfeeef22d41ef50931b86259c9b10

SHA256
031dc23519d83b89207fe0bdf8b2fcc3f8af1b1c71224b46356541ea42abcd69

SHA512
5cff05b0748febdd17cf83bbb5a43f732205fa8aa5c48a656b18d69dddd7625a70af9a3c83cf8769e6f9edbd1984d9848fb0399153827a69cbb5a15d7ef9d348

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ecbb57655e82d0a3dec6f90d79695462

SHA1
3d633a02a13c6a4a801c0574a67ad9844cd26875

SHA256
4e780490e4f2df85323b51d35fbc4681d737503dc87eaca05061cbfa7784bfcb

SHA512
c50b4eccff1eab866912163845a1aaa42edf814b38ea3460a9ad17c41caa244b2fd87eebc6d0865c281a739a5018114c83f72049c932a6a8196c695efb005873

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
180189b406d74a063270df1d655d6621

SHA1
99b45535246ea0a8cc4fde53ca5557e38c3d9711

SHA256
c31252b4a498c1d54e5698bfb5ad9b0b7a2400d3f880313e2806c88ff05f9fee

SHA512
64edd658b2694e57cb425d769e74df906d38961db33ddda5dc880bfab5a617a3954dfedca0366898482ac6e82fa41b128c2c1d2edd2c173e640e7aeb8a85f732

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ce426a4d38006a13037890c93eb930c4

SHA1
b759e99cd8a2ddf2c3352440370faad9635740c1

SHA256
188c5ec2a504685598fd000e6c97ff072348fb4c4c849628cfb430e4e44e1094

SHA512
ced90eecdecd08f72461606a85383c076963c18b5e0c9aa5d8b2e09ce659d4742be88069c73748e4b62cedf89ccb4d4cd04c38ed3e8f407f5ca1398f76bec520

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
63c83b0f4abcb368d7ffc3da116976d7

SHA1
f8521ecdff7759b35c00c29e67f4b28745186f0b

SHA256
59b2b639bfb04c1a9f669248c6359cfd344e644d9127f34ced40e3329430c390

SHA512
1f12c1ac4989c235a5fa8558c27dd5b55b8c9590b5acde637dbf91503a71728d0239a1644ffb78045158a454445797aa80418a8eb2c9c286c900b55965298ba6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7f7cf5f8940d95efc78f790dee7c46be

SHA1
698a411285eda4d66c52c78aa9ab27dda0c75f51

SHA256
5d598d21c3ed265e78d6aed0c52289e89547e907188e17235ab6fd4997fc9019

SHA512
aa75a9fe50f054166f545198256923eab334cc3fc67b93d73dbfcafa3b9f9117b8eed03e5aaea2088b6c74d240a2c03972f0d54598f882a502bf46ac5cb812ec

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a2043cc11d8405dbb93f7d9642a7669b

SHA1
008fac1c2801762891cd8c3b41aa357df5bd4cce

SHA256
938e24ca98d1ca7ef2d1ed950de54b360b37dc144e7513419f68b5bbb7febd9e

SHA512
ab609e1c14dbb9e03b6540c3a9f5eb0b9e81a9781f53b3078b29c29a8dbe7479ae6602f56a90fd431dd4de631c87f3de1b94e11592f40886f2938f59a70fa800

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4a50d6deb67c182cf70102b39ef75805

SHA1
1afd6e05b8ab1b300b6987f6a2fa09f9708c64e9

SHA256
c9b8f3a0e73f5337fc2298ddf7931d668135de405bd44270c42385404107cb06

SHA512
c5b6532ef3d7bf22f0f043df5520c9611928a0aec7f0ab41c44e3bfa8e4634204b6c9f3f2bca00c70b556983e909441d69b25adee2f0de0dc198b1bf61efa3a8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
21dc1aecfe9f252255fd2f0442cbcaae

SHA1
0fee369426a57a646bbe518222b3a8e753381823

SHA256
d2448a30c37f1c2117ebc654cd27b3f525637b445be88f239a0a952e910c6e6e

SHA512
f177d76c67ec344b92c835b19a162c9f23e23b64fe748f9bf59035a96c0d994895979998c366e5cbf9a8ccedf14b2d86aaf49282f5ae185f2157768f4138f0d1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
887bd2ba720b2e308162e3d768385ba5

SHA1
1f79e36854413fb05775b9311babf5bc996b5976

SHA256
adb4339d7296ba1312644635a2105f047fadfcc292679f6109051a6741da3c80

SHA512
8cf0c91992beae620f05609045634dd579b61c78ec53c5421cae9c34ff98b305ecf7fe79c260248c5d08cb56306082b57b2250eb5865f14159e0831e7573eb5d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
740235d798f2d8db86f0014e28d4f754

SHA1
14cfb21228c2fbfd11ac4c2723c9947a8efa8ff6

SHA256
ff6daa020c9fa7df6b4d23aea2819e55f5943815f196464626c7bbf2d46e5ae1

SHA512
952fe6a0ae6fa7386d873be07f8491613c630178f620ad144324da9543423cb3a56085cb6f0cb32fa1a993c44fd7907dda37b644f645fad2d909f0a33626d0dd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6bc03dc2743114a040b8de73cb6f1f85

SHA1
b8cd48b809120efe711dbbb2fe68310898c7e1ec

SHA256
feaedb327094c755fc74fd479d8772bc362a1a1c379989bab14c86a7e48b6853

SHA512
665a58a163c2766c516ec8f7ee61adaf7c445c6177b9aef97823c56d3f43127fc2be972593513f6a1b3d64f967235fcb8999894ea480c140f8f1d84ac5f347c0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3df8801bc54b7b67d4ded610e6a3b2f0

SHA1
f852d3421addf0854484284538745bcc448d7d7d

SHA256
8a45f05243d95ae9102ca54d66170c77eb37ac4ff2dfce8c97372dbe0956a4b3

SHA512
d76de2dfb9e53ead46885daf958eed081827e2a65421251feb8da4d8d7d9c8323f1fb584c439f86d8577b19f350d9d8d9e7202cf58bfb667293ca094e72f751a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
61b85f684edab1671de6fe451b5a3a21

SHA1
33114e2d5af77a741a5fa3fedb1f9a6af6fe4aca

SHA256
79de7ca4978ba1010a8ee1336b182ab947dc982693cfac1f7c064addb1f32d18

SHA512
4cd3dea294e51b0cd7f37f49745aed89fe6202593a24eab2f4899d495422b60b3751ae0025c316cfefa4d233b2555c0c0c0ad48a0d1b89ad1898be0732635e92

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
9a4fc1989dbcdb940a14114bebffcfa3

SHA1
69dbf1e51ef57b2ca354021025a14ea71c8c711e

SHA256
2581ae70eb08df3d4a4693ff36a130b6cc0605498bf3217f80f5db8ccece6a4e

SHA512
af6110ac6d9364f506dcaae578efdb20bc05821cb182018aa4150b453ca94827a531ed0e9426acacabab2a19df0b6f553d54ef284496950eb2636871cfdb2a53

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
74b0969e3a11a253e674f58685e8d4e3

SHA1
773cc92d443acc8200b9e0161469e0b8179e180a

SHA256
851cc7a97e2b16375a0596bccb106079abbbad81fbce5261f1700609d87afd8b

SHA512
6baa811fd6ec1424497914f24b523469fcafbef7bccec697c7eee5731ef42c9204dc5a18ee8cc3839adfb2d66c79e5c97cfb95c102b6331441d6910e9d5a28ec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0b54fffdb5a5dee50c8658f3e28ec62f

SHA1
1cd3c612af24aae28d80014874a475ee06881cf8

SHA256
8b05bfc2db9b932b2c6b68fc57d25e67773b9b561ebd369f8692c13d06e011d1

SHA512
2feefcfbe1ffa2a5891f1e0a72f834977f95d6f49bb629fb85e33e5c55b573f5ec7a8aac221af340a496eacbdb211ae2454e797f6a1aa4abe61a291ab02c03e1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
5a650afeaccb52ad3a01d845af2c0c32

SHA1
d415e6064d722c3e6d488eb76fb70a6592f5c7aa

SHA256
d29f74b1396df04a9754631dd368186243929bffc4a29bff057647faeae769a6

SHA512
313ea47bcf8156257ef7ead16e882fed7c637da0bf7d24f5004b044e4111f735e66535f5cd543b600843d43a50b9f623d8fb65a17059335b94e75d52c6d3c470

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
2d444717bafb0bd21ebe442ba35a4c45

SHA1
f2bcfe2fe33750ccda49b644acd3ad62ae238dbf

SHA256
7ce01572715e2f9794de05a3fb7ab404cde3c69139adaa5f5867887fef5922e9

SHA512
d20e250c1b7e47f70a139f9fa534528d0901202781ec52670f9c2f120196676a56d9b59d170392b898d31eb2012caa75b4b79506b34af60127430541e82f27c4

Download Submit
memory/448-263-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/448-556-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/672-56-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/672-97-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/672-62-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/672-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/672-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/740-447-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/740-742-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/760-117-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/760-124-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/760-131-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/760-133-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/760-118-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/812-507-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/812-845-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1020-937-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1020-580-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1160-19-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1160-196-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1160-26-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1160-25-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1160-18-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1296-363-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1296-569-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1972-617-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1972-871-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1972-433-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2096-811-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2096-462-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2120-160-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2120-547-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2140-894-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2140-557-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2564-423-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2564-590-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/2776-970-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2776-591-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/3144-139-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3144-136-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3144-523-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3872-850-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3872-550-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4000-532-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4000-537-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4260-69-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4260-68-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4260-460-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4260-75-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4548-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4548-1-0x0000000002490000-0x00000000024F6000-memory.dmp

Filesize
408KB

Download
memory/4548-6-0x0000000002490000-0x00000000024F6000-memory.dmp

Filesize
408KB

Download
memory/4548-8-0x0000000002490000-0x00000000024F6000-memory.dmp

Filesize
408KB

Download
memory/4548-135-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/4660-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4660-972-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4716-48-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4716-37-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4716-47-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/5040-826-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5040-488-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5076-106-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5076-107-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5076-100-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5076-483-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download