modiloader | 6fe4c7d5e12571b9be82f42a4dcba7a225e756e9f043539a6278ef0f2c37b15e

Analysis

max time kernel
297s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12122024_1453_x.exe
Size

1.1MB
MD5

56f9b0f1c77116f27f527100ab5d8e49
SHA1

0b0c645cae7af33e778b39a41e8d71900ddf67b6
SHA256

6fe4c7d5e12571b9be82f42a4dcba7a225e756e9f043539a6278ef0f2c37b15e
SHA512

d2249f1c0c05975d5edce264b6ff2a3fc4fd321c26f6205c89f3fa02b80c3ec4728b616599f5053bd82089807fa7599032a3aae6d3df3f7b010d32907e1953d0
SSDEEP

24576:8dpFqERcBuu6VPxCrlYVLD9bM62XTPUznK2fB/sJ41m:8kAO5YvbMBDPUzXfB

Score

10^/10

modiloader collection discovery persistence spyware stealer trojan

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

ModiLoader Second Stage 61 IoCs

resource	yara_rule
behavioral2/memory/1660-2-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-7-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-10-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-13-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-18-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-26-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-37-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-56-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-66-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-65-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-63-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-64-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-62-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-59-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-52-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-51-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-50-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-47-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-44-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-43-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-42-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-61-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-41-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-60-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-40-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-58-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-39-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-38-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-57-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-55-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-54-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-36-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-53-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-35-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-34-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-49-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-48-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-33-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-32-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-31-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-46-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-45-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-30-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-29-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-28-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-27-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-25-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-24-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-23-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-22-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-21-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-20-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-19-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-17-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-16-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-15-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-14-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-12-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-11-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-9-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2
behavioral2/memory/1660-8-0x0000000002D50000-0x0000000003D50000-memory.dmp	modiloader_stage2

Executes dropped EXE 5 IoCs

pid	Process
432	afvgxyoF.pif
2672	elevation_service.exe
2012	elevation_service.exe
1040	maintenanceservice.exe
3196	OSE.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	afvgxyoF.pif
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	afvgxyoF.pif
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	afvgxyoF.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Foyxgvfa = "C:\\Users\\Public\\Foyxgvfa.url"	12122024_1453_x.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	checkip.dyndns.org

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\84ec1bd299262766.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1660 set thread context of 432	1660	12122024_1453_x.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	12122024_1453_x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afvgxyoF.pif

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef599ebca54cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8be62bca54cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054478bbca54cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004bc224bca54cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f183ebda54cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000213478bca54cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ad718bca54cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb777ebda54cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	19	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
2672	elevation_service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe
3664	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeAuditPrivilege	4872	fxssvc.exe
Token: SeRestorePrivilege	4568	TieringEngineService.exe
Token: SeManageVolumePrivilege	4568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1160	AgentService.exe
Token: SeBackupPrivilege	3604	vssvc.exe
Token: SeRestorePrivilege	3604	vssvc.exe
Token: SeAuditPrivilege	3604	vssvc.exe
Token: SeBackupPrivilege	3212	wbengine.exe
Token: SeRestorePrivilege	3212	wbengine.exe
Token: SeSecurityPrivilege	3212	wbengine.exe
Token: 33	2764	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2764	SearchIndexer.exe
Token: SeDebugPrivilege	3716	alg.exe
Token: SeDebugPrivilege	3716	alg.exe
Token: SeDebugPrivilege	3716	alg.exe
Token: SeDebugPrivilege	2672	elevation_service.exe
Token: SeDebugPrivilege	3664	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 4480	1660	12122024_1453_x.exe	88
PID 1660 wrote to memory of 4480	1660	12122024_1453_x.exe	88
PID 1660 wrote to memory of 4480	1660	12122024_1453_x.exe	88
PID 1660 wrote to memory of 432	1660	12122024_1453_x.exe	91
PID 1660 wrote to memory of 432	1660	12122024_1453_x.exe	91
PID 1660 wrote to memory of 432	1660	12122024_1453_x.exe	91
PID 1660 wrote to memory of 432	1660	12122024_1453_x.exe	91
PID 1660 wrote to memory of 432	1660	12122024_1453_x.exe	91
PID 2764 wrote to memory of 2040	2764	SearchIndexer.exe	120
PID 2764 wrote to memory of 2040	2764	SearchIndexer.exe	120
PID 2764 wrote to memory of 3692	2764	SearchIndexer.exe	121
PID 2764 wrote to memory of 3692	2764	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	afvgxyoF.pif

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	afvgxyoF.pif

C:\Users\Admin\AppData\Local\Temp\12122024_1453_x.exe
"C:\Users\Admin\AppData\Local\Temp\12122024_1453_x.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\afvgxyoF2.cmd" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4480
- C:\Users\Public\Libraries\afvgxyoF.pif
  C:\Users\Public\Libraries\afvgxyoF.pif
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - System Location Discovery: System Language Discovery
  - outlook_office_path
  - outlook_win_path
  PID:432

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:3716

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4152

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
PID:540

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:3696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:4584

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Checks SCSI registry key(s)
PID:4084

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:3640

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Checks SCSI registry key(s)
PID:1184

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2452

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3604

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2288

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2040
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d1a29c23364a2c23d497d695626986fd

SHA1
8965e1249eb02cf64eaeda357e3a97616cdb8fe2

SHA256
d3c8cf1b3797ce4acf75725dab7c55f4219e2d547d747ccee3bbb0e519917362

SHA512
6c27a4224e8329f715c5de292bf5e5f4e79cb12fdc88e354cdc2333562781f78b4a0197b045c40bc2066a4b36dbcd93968aa043861043e059304329cc1965f32

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
0a05a606dfd4fb423ea49e761c726661

SHA1
fc5d3a38ea3ebaa182143ed0e2a21780df6eab30

SHA256
97d225e649c394773d4214a06ebfa4278b5591f3806785b28ca80b68697d38ba

SHA512
e73cf7033d641bfddba40d43fc0ea53ce7c823d36d26981d084b29ec4afd9b59bcecc56b5a942c0de11ff421061d98e4fac4474e6b58cbcb07014dfccf6d2dc4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
42611c0d9a4d9be123c0736a42f7d86e

SHA1
f75161e36a1d99f94669c52928e644861c99dfca

SHA256
909a50a5128cf62ba76fdc4ff607465d25cae73b2dc7c53211267af22a75d157

SHA512
1558d7a2ff4b856f2787ea98314ee3aaac5f8f5171cd87ab267d6648fec20946e760a89f07d95eaf000b9aa78465d9c9743d688e939464f0b1dfb6c96ef12453

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
06c6ef9cb18b8629471a0220d16a0785

SHA1
cc73e3aa0d2a37b3f6151f569b05ec7fd2e7727c

SHA256
e9f306f2fb0b7023f8ded0e5706c98467e8e99af1d02fcdd62a63e9b1277b013

SHA512
816bdbc1eccc3fdce3cb5c5fdbfab8858fb526102ec921c1d889c0a91b6db1310b5f43fec9c7e7f0e30285f7594fef7b43288203a7ecb2abaa955839a929bf4d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
392b638daf26c561c3cc57a86f82dbb1

SHA1
48a5de929759781516397d753119efd7621ecd62

SHA256
e4810d8df6d2f0aeebee9f46b9a0eca878db68174470a31a25a4ba1fb31c94e9

SHA512
0ecc9cca11de38d91744b2ab303f74b3cb0b4526a3c03dc796df8308538de769e2e78108155aacc4ab3e6f23ec00541f5146fc3b132c47f269ecb4546335aea9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
1a2e7e3863829d5569f01d97ca49e69e

SHA1
d1d2dd54fc8511715b1fab6a7583dc4b5ff12924

SHA256
42a62f7253c04ce87058dfb27939910969a7bf143cfd758d403014ef7b0c23e8

SHA512
16aba5a473bf12f3c3543a581d5baae505bf0bd5a5a09bd6ac9331ece1da45c6ec084eba2ae8506c5f90c5d31259a0b23ab626ec4ed5bea4cfd0f7e1c6590558

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
42825e20f01b05d5426cdc54cc13cbc0

SHA1
89edadccea89eee8cd5471300c90a414d6181bf8

SHA256
5ace0acea4009d595c1504e640b03c3241380eaa74149e1bf12899348f469e3e

SHA512
4e2687981b80edaf625c5753ecdd061414ab9824c886bc8989ecf41fef537587042eee65cabe6ec016893ea053a36da60c8f8a0b210b8be46ab25802d3c08cd1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
136e58f4c9d1dcf8fd4039ce74595df7

SHA1
5a7e7b790e71c35c55b3445da007e4797f8897f9

SHA256
73eb9d7783355d28bb3a510f304b482c2382bc03dcd08fe289f635e4424aed6a

SHA512
f2fb249ecb5ecbc8b181a73507eae2b2d456a1d1e1fab90c1dcd086f59dcec296cd425cdf5a148fd5fbc1a43c032bfec72d8a2f0de60e1839cada97881625d77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
d3cd2435e93e1d902b072a5323830632

SHA1
d0dce85cc510bb7563210ce8b371ffd8332dfed4

SHA256
a4c12a6c04592b1b7bc66df66704b899f0b34cef61a782a984300a73aa74079c

SHA512
91fc6c94cc25cf7bf069b10b329c173222926f176129efe25c366eeb13dae9efa52d1c36bcafefa582c51971886c5ef9368d7c4ebef30134a51d20ed1940167a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b85b7af0f8cd70db15e358242b1820e7

SHA1
3d1ada699299bc072248a30a0a30ad911faad998

SHA256
a05d171cc6063d9be5bd4ea8151df2e54b3e1f52c5d3bc3e7bfcb7cad0fa3124

SHA512
cae6ceab3bb238e3b6512229f6efac942f7491707bc28b9b6adaf726f47f37bc97bb3e9131d6059f88e64ada736d67f6f1212869b2e1cf828e2faeea504f52e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
74aafc9509e6a9d983cf57d3bf091897

SHA1
601fbe711f4ea61a130d3f4d39f7891f56ca85e3

SHA256
77b26317177c3f4792f1cd16101000194fea5513d2bd47b8b6e55a198d9cb956

SHA512
473f5d0e297bad9a9bf0a2f0345260a747ee5b677236f0b77d11d07a5e8b9c9e0d2672ce396de33f3096998fd90aba47c260c134fe99513f2a9c0aaa8ef2c9f2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b2ceea09c53a88e6a4b25346207a9052

SHA1
abf17b1e3da14ba7340ccdb121935b0117f40901

SHA256
e312570267dcce29e907ae8df60d0f82451afc85fcfa19ab340f0f0c83a8c955

SHA512
04d8b8a67bca4ce50ba3c5ca64b8cd666c6eda5363c8a3135b55f9a5fbd35663540e56d99b4f4ae2157853bd88be9ad64ddbf9471898bd6d24d3a87e070ceba7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
862348b8a1cafd95ec00450db9b6b617

SHA1
9998d4f8953030277922b1c435c2ca7cf534ad01

SHA256
b7a17d9cf26293b7a98b68f5333ed05c5e0494740cf64587c70a1687e2515a59

SHA512
3e87352bcdf9a53f04433c6384dff76ea3f7cb0a7486e7bda5d37d5bb9ed89a8eb60dd8de79bafba50b18e082e5d02d73df47bb439411aaebb485045e3e29ece

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
a2abe01feb2f48d18300867502439e92

SHA1
edeb5905cef80619240f199486d97817f5b774a3

SHA256
a8cb8dfc0c84845ec42bbe09d36cf23520f0ac12f15179940c1e305d1f2d10af

SHA512
86a6d6834afcac243b6ab10659e1f26c67b9aa193824163f8c72e43f05ced89d6e34a6be2f6dc4a03db3479096521ee0289fff7e01f6d4ee10fca4476811bd1c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a1ae8a66f461e36702fd276d1d145511

SHA1
60ad94c245f6ce1ba65a36b8beb6a1544fdc15a8

SHA256
15308c6da6b56fa582d2a978153190235020f1616bbb4664d4b56e6e3ed32a06

SHA512
e4ab29c6a7a1d03b67582752ac273eca9481a515ec1273bb0217de86f133cbd38be67b813540edcbf06e23e0742e80aa8b50582b04eef2369c78c1b360c73116

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f6fa5dcb79225ccfb017b7014612a52a

SHA1
cd21aabe78f5edff3cf824bb811bb5c3b876a90d

SHA256
4fb42306361102894820a3e6f9eeb6e5deca97061ec37feb671f1cf3839df0db

SHA512
031f65402f1084400d2080c6dffd1f3c527e301956e52ec3568db0856588b693b0891c74b486b05f5948e3b66c6500107a6d41a7e23c3d4b86a9a7b0c0c4ca58

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
59db821afe0507b73a062f4c7168f589

SHA1
ef82f058a51d483217b12abcb9f57c5356e582d2

SHA256
b20e6509b41dc111f200e2987ade155c0027df92dfb7dae61d26d227b82268d1

SHA512
631103b2a8cc6f91572bbe6567b614e25810e3ea95f5cb4ef331376bb5abf0e90829a39db102bb4122b68c2162879cf8f96fe4b67e060cc92a78a2dc907e9bc5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
a18221153bc6c9c1f7e617aea61157b7

SHA1
f86878813c16061b02488540b1b2b9b44a168159

SHA256
420032fb64f298fe195017b0afd2a12f1d4f0db252754e5ab37a3dcf30a288ef

SHA512
bf44284637e1ecc98bc0d8d6b5d8412aad3f87435f63e459fe054f0b107155aa342419d146435e527b3c92150014a3f397fa41b4ecd30ffadc7af79fce237af7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
f99de3f1cd7fd764260aa526d5cbd02a

SHA1
7d247527e534f3363fd3708016e7be0c7448880d

SHA256
8a3c1240b5293b146521fc31b4958de6d9573ab7f028c0a436f58536197f4979

SHA512
8a479467493050c5b24ed2d040637f6f0dd8204d7d75e975c5a737d4629313a8573d78a38794b458a17e16180f68b1a12ad062025f5ea7da1fac7c7b74b51c35

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6cbc179b149d11df668a1787f5a74ed2

SHA1
a344e2952de95cb35336b35393ac9d34b4d841cd

SHA256
da8b2dd03c5dd82428d70f0e7455b4373c2e443e44fa757765e45a81ee5acd8a

SHA512
e3c24e7cad29681372dd4a4698a86923e8ac14c1e46fe7fb5886b741421fb7fc14cad5fa630d22d70b0471f119bb27830ca9167166d87154b442f52658dfc701

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
3a62c17a6dd472aacd6f4e9ceee7acaf

SHA1
003add851bf026764e85cb5bec717aa11fda9bec

SHA256
e4923479044312d743ea254631db566725b4d5db071f1260399552b20786fbe6

SHA512
1399a39344be87afd5d15c4fac5da8393b0adc76293dc465921a929ee24ed2ad7abce8be1caabbf6c649c8d12012f015c9727f33381643eed052de67d9f119af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
49edf5042e12f167d11d6e68bdf19b15

SHA1
e6b9fb981118a9d9f6b227ca0f3642cbaf1164a2

SHA256
bb0faefeb93a98e08311466db900309d02261e9de4089a2a939b352ac7a3e856

SHA512
c296fa6c2964c4157b7befbf4b13e779bd2dd27bdf69fb03eedd405535700b7226c8660a00c06b5ada3e96adff5f1191c936fb03d6f2bc82808c8e3ba95ae5df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
6801393c41dd2f02b714979035951dfa

SHA1
30e33fefa60965c2b5f6a6a76c3a3b6af6b35f91

SHA256
2afba3758a121749061e2991e52a996384c324a53475d135b57f6986d80ce333

SHA512
3a8ad704c9e28fad26083397f839bdd89c8aa1375d8fa5ca7e8f13e9ee947d3cb4a8d5e36f5a3d2a9495fb9e1babe96bdd55392fb7b73dc0ea2bddfa5720c38b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
47101877b9630fd1b8772cfadc2b8092

SHA1
bfa0d6f56c2b26894d92937815e456310145cc22

SHA256
fcdda6b628bf52ddb34c91dad56bdc35123720d5e7449ee5fd5fa57aa61669f9

SHA512
b94628fccbda8c3124adc71b14f7c42306295f01d6e31b3a6f6cdd56a583f7a20bb59b7b55901e6e04413e09d7af26265309c2906be3cfdbe2994507d7b17d98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
44cd7128f917ce7aaaf36a48bdaa7571

SHA1
cbeb19ddc5b2baefb9806ff94b0dca641db4e6d4

SHA256
1195bf0290f6029fecf97dd5f62cf52de319158e42193c21454e67d41a03fc88

SHA512
c2a801d30de3f77393736d44ecf0dc16e764b2239164deff26cbec2b66c0a7f57ec839835fee7cb2f1e81a0643590e434de1b53332d4eff356accfcf0b6533d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
4073c18141064dfddbdd931234f3e0a9

SHA1
ccfdb87019cb16d2eccab3393d3e4c151078bbc8

SHA256
34525b14cd31510e8290fb27eab5ec4dd1e27c31bceeb86563a28be8e19dfe0d

SHA512
3547167ea95293d473624197bc87f623859640e4cbe9ec3f53f94f38141b9f40c20defce38134e6b237b4057ee1a8a37668f1d63a5cfa330301ccd6658a00f63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
d8ae8e6a1c045863c5c660e0861dffe4

SHA1
12103328769d481c6e92cc7b4694f71dfb120d98

SHA256
6c76fdfb69dbe8f623a02465f81d5d638e5c06e5fc1bb8898849c0d49f3db7eb

SHA512
612d21794cf51339b1ea83ba8d82e2d5fe85bfb9bee7e2d230bf238e3fb14da5f5ceb85aea5ea53af3538f5d9ce4e5666b94ed56c31644beb104d90a82bbc9bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
c168c0cfa1020300893cfb15b4ee5085

SHA1
8e8d3df496caa32e0c812a88381bf8cbea6ed1e5

SHA256
7360b0f8620af6ddeae2a4f846ea32493b59cf21ff4e132e89ce1ed603ea8dc9

SHA512
3b1d9551c1446e907981f47fef2e7b6a509f0474b7b6a945752eddefed877221af588b7ae8bed768ba61e5732fbd10cdfd0b855dd282842b91ad7a7c4f7b5956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
9b16cb0434f9a167732fc2e7afe0c7be

SHA1
3ab8468305ce0afabc9f4e0c3924e364aaa48b9a

SHA256
7adf2eb70efe4cda6a6e134959702d1d71724c074659e5a6ec8e50c080b22c53

SHA512
6e629790d761a78bbe798d0b949da2c87ce01ae2f7a7af9a1e3ceb975850b9def6a7abdfcc69cd5538e9e9469377d0eff21c14ea3a73789d9a88920980b7c68c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
ebd8b1c2330ba2dc1b158a56c0b36fe7

SHA1
5cb067317dd32d46653919027418f52ab70c63ce

SHA256
e74f0a25658f426ebf068174f6b238466f5205e4e68fe9b266227e2c23849f07

SHA512
0aa510ad0d1d17bf7095e2d37d9b2d14a552b01beceeb41cd4d42792ae0d6d58e605983d8a61c6dd7abaa30944fb37237f8c081ced7a1a31ddee555762f35ce1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
b327bbe262d4b5472e1b871987044ae5

SHA1
cd4e88821f72689d9a2de540a3e099a6701a4432

SHA256
ee13fa3c62781665a4fe87dfa5cdc1ac9b8d96095ed7d6903f0a7035f6727838

SHA512
68d5286e9944403a7e5bab7e67df93120177d17ddd72d3a5846ed624fbfb76fadaec58b10394c29464f1245e1f1b05609158071638e245add61efb3a0aead5d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
d4b0c76d56bf320fbef792fb70b05e72

SHA1
290cf0e9687e7d7b468d49897dec8e70e6338757

SHA256
f622202e097a8f833b46bacf29ebc3cd49dd8259c4a3a455642ea2408ecfe55b

SHA512
7ba3785e0bba2f0ade692e520f22c3045f601ff09d867ad5f0519357cb19574fdcfdbaf4eefdade30701cb644fd4550f74ccefadcbe5ffe82f2c0849f510222b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
44cb284af8bd8f6c2f542b8acc178b76

SHA1
70c8a06a844d1558fc7b839bc2073299a0e0de72

SHA256
b75a791721774e26f86c64d37e491e9953c3993de60bbac7706f1ed9a15224c5

SHA512
fc1f02b677a77cf61038181396c03a80427d4eab51aa0d79c39828ff568fcb0f8a17e5a79486c530411b0813a08618608a4132b20dcf62c604c15a6e25a738a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
bd84fd7413ab3d66bc9abceb44fc3b58

SHA1
a52aa6b27445fbc084b81d5b619ff4a35b63c50c

SHA256
f18ebe7472b759eed8482f6d6ab6aded22c97c04503bef071e20d61bf52a7f0d

SHA512
5a2c6897c12f9d11324f4e72c7315ab66a5b8bdc4697b6bdca96a3983030fec2a512f575efe2ac4b3772220f409fb2128ca5826e021da72204a406de428345f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
8247fb9b9ed4adfa3c8712655cb349e4

SHA1
5ecc999a15b89486d5387cf0672bcce5c0778650

SHA256
f5bad13e4d41e9a085290522906ec07a03e1d94b8773a0e90247313faa3d3f2d

SHA512
fc5b024d075150391590dab60ca2ca0e65016f9319038935d6b7fe89c05272c9888eb6dbd5e6f054530cd2b76e6f654f56773d20229878af6d50842b1785ce30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
dcba54986b3b5f78a29a9742bc1004ca

SHA1
049e5180e9e0efa2d5207efc4ab076f06a70f4af

SHA256
4c0937fda37ce89ce6cc9c139f6c8dcbb4c4c89435fca2087034275217c2529c

SHA512
7c6d01496b09b0f7f2a8206410064d0fa2038b933d159df5bc6b4c0fe3c3e71e4b167ab57977abab465d13610df8d2e5ff82ee5704c07bbd28853da368f0273b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
4cd5c506da916643b7108135bf67883b

SHA1
d73e5217f76157e55158f06f82f9f2359c948294

SHA256
ccc67337a6f568fd29924c465fb8faf97e8b50aff34ccc4f2a6169908b47d768

SHA512
c4882cf1596a016ca05502b41910282263acc9ed05cdaf9c72789fa83bb12c4f4bfbf1d653336947d8c76a48024d153b3c0bfce7264846bbc26e9af96b287da8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.1MB

MD5
6cc2c034f62535370d6adda12b0fadb4

SHA1
b1f327142db6d04616c2f00b59f78f3e197cdb26

SHA256
b7536de771d01aafb0cc65649d126c41f1ff0a3902aa6de9c6b792911586b9df

SHA512
cde4f1c106a02111ec4a8623da0b22d5bcfd1d9172e627519209ac9782198d84fde55bba9b02318a210c02404cc8b67ffd0f427bddb8b760835e6717aeda2fc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.1MB

MD5
44cfc5ae7fd8f8d28bb5e75202ad92bc

SHA1
f2fa5d07703101dd3ccbdc9e35ba50fe48876602

SHA256
f5bb524c6c877e6110e01b4787ddd441f5812cebdfe78255f0de8039d3f187cd

SHA512
c96a7321056e463c255bef5e41a57b9dbb92965272a40c4fdecf5cbabf0b94e1e45427e721bf04b92b812cb51e9d8899220a6d5848fee81a5579865e1ec536d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.1MB

MD5
4d83e202a921dbbd4c65b0cbcb2777c8

SHA1
4db4b4d56d867bba003b53af55b839e8e8bb0ca3

SHA256
427cc2721af0c46db771b26a4a0aeb8bf153a90026569344a1872f423fc1943b

SHA512
4fc6682096be43dc4b85b977d301bbe4b423836beadfe38d435d1ab529a751119b15f5a11c9e91e8bba57e42cd3450927336dfef4af405d57c17d7a83a61facb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.1MB

MD5
f3b895b072f35a4d43f838128c3c74b1

SHA1
3cb69d87b77a1d0fb586bcbc9062424651fa5f96

SHA256
cf5c355a876e6a8861c17e66b3dc055a9bd3810085abd6261babfac2308f6b9a

SHA512
2a3beb0d411e595f0f33bc7ff8ad0dc7135bfe4a73157b5d5719f88a24f2786d61bd4452b56e9f36bf1e7600f5207f6c9272d1fa3a67dffe754f2f7a80f192ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.1MB

MD5
5e871ae09919645255c8094394996d17

SHA1
8d9d5aa9f60aeb076b279e638f395494c594a07a

SHA256
99a87ec0314ce9ace31a7402c2a75d9b1cfde2e31837d3c6c18f422aa7e872a0

SHA512
bb216685f3fcc0d76f39f7b7241e51db21628236b4d63c3dc35ff65c55118ea735264b273ae66bd663c74ad61e3bad5ac210b7afa090cc7d7e8a3280c2ac9e3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.1MB

MD5
0c231a47bf849f0ad8464b497dc89770

SHA1
68569cad5c8a9a60a1c892ed9c87bec15ba78631

SHA256
132f0915e277a9ac77052571831344263e080b7f3d5dc6f84c827d6c0313517a

SHA512
190135698a0c36158902c19f7a085aba7ed079d59f811af941bb922643257ef9361f5ca075c90ba1979f2a19664d87c8092633a2514683a7c87beed6fb6da972

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jmap.exe

Filesize
1.1MB

MD5
4beacf438ead61a1467c62d0c4d7aec3

SHA1
fbaaf855e04703a6a4d3c0a68e9b2875e0db0279

SHA256
d3e750e01d46b98af9b41f4a855309d2b26c5a30a0579ada9f9d681b81a18828

SHA512
f0749c2e0cb3e23d1a654c1f753aabca0c14faac255063a5f580dbd34efffa8fb7ed4b4ace0eb3374b14d90720942535191e3ae94919f11aaa3da81711f51d24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
1.1MB

MD5
57df9d3ed64a4e70218c77b972c30f0d

SHA1
351794548c50aad183e54a5be2b5fecb4c074d78

SHA256
36b3df0fc2354dae61d7a6da43fb13a2d82f3156914547f3f99a40c0b7a99841

SHA512
1a51454521ac1029fc73ab5d28d530dbc495999fe91e2577801a9b6700f089af3cc4214ced86cfa27d6e3069d4a34c8e1de2e01b053a447cae59936557345367

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

Filesize
1.1MB

MD5
b19e1f29d85ffb2de33ca1ad9d72417c

SHA1
293ea2eedfff0ef321493d8bde7a1447c9c4d005

SHA256
b07406edcf5d077eaa9143f43ca65b8ced55cf6d989fb6c58d6d0805ba16b67e

SHA512
34b2ede7bb837828b64edc73f8d650473d123fda40d5e4fdc1df7434639f0de9483c50dce6b7d59b22a14122a8af81027bcdc034d917add7d2643d07d861c92d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe

Filesize
1.1MB

MD5
fc2fa509b41959d5cdd53ea5c1eafe32

SHA1
6da03d338cfe6358f898766658bdd5eadb407eb1

SHA256
b82a219be63f071218026e4bfdae7e4ba42f78d676f0a294a19e7d7a5b21e0d5

SHA512
27c3b5851daf1f95deec9b5b0e7ee78eb100af166399ab39f5c14feee80bf2b5095fb573bb493ad30c71a33958fe8509e127689dabaa6a0fcf1f550bff107725

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.1MB

MD5
607fff0abfff405593cf17897ac1a2af

SHA1
11cbbea845810b101bb7168f30fdc1084ee941b7

SHA256
b8f7af73e0b2455d7dc5b87a585ded4d3f9666ee455be9061b3f2847536c08fd

SHA512
2e485acbdf74439280bb4586cfca9bf4557fdef7d29f3906a0f884e6def34055e48e3df25c25e9d2e8c78720906c362e2cc6952517b4e876d363d1cb1b535463

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstat.exe

Filesize
1.1MB

MD5
5721a08377eba1ef6974649c17c82b59

SHA1
e53fe5e968fdf1e84803be5e207c6578d9537817

SHA256
64c9f8dea3331aa09dfc4854acfa5aa4b3bc7ff5605107582627df41c01562de

SHA512
be68ca8cc3a7b1228426005b944da192ff90fce03025c1b78dddfb70f0837ad1f756af4cfb586980e673d6e53bdedb4e73ff35652e1bddba5dfaceca54fb39a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

Filesize
1.1MB

MD5
8587807eca7a9b6c376d260b0876a64a

SHA1
85b33fd94b6a18bc7295d33e6ba42ced7b670b6a

SHA256
7a1371357546859c27ac168a61b62b368d1e14a2101cd79d2f5064567c98fb1a

SHA512
f74bd2c1ffb71a53189109d15eeaadb881ebb7b0af5fb3512e81e2ec03316ac9b06ed48f66fd7834ccb117f261181d505224745cb6a42b0c7ae769d907467786

Download Submit
C:\Program Files\Java\jdk-1.8\bin\keytool.exe

Filesize
1.1MB

MD5
2f43fd7cf24900fab7e4e02f3742605e

SHA1
5fd7028e2be8027d17c8444347daccb62e4acdb8

SHA256
f08b97979ca945f28918da571ca0c7995f3b04c1ba515c17bbb94f29c1092b4f

SHA512
15ba43d3e2411501b905aad2e4e149b83cab6cf5153064275f8b976d5e0282c93aaf4f7f3be76ecba0cf51adca3841fc7fa15a4608772355883b9b15a3d7f80c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\kinit.exe

Filesize
1.1MB

MD5
42ccc478af9709dbeaf0b8582ed6ad79

SHA1
5c5aaf83541b12d497707d26a4113d02094d1b52

SHA256
dbbaaad2ad7eea6df8aac56b21b128658583e9cf05a9beecaa7c51316286ae41

SHA512
e682fb6c379526ccd20107d59ed5cbc38c6c6f60ba1dfd1df900348cb37197aa9140c9d97fb280dce0edcf3b6e0ac03ca0432573f07844bb6dd8745e2264a49f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\klist.exe

Filesize
1.1MB

MD5
2f461764ed11b4c2f196bd8457380736

SHA1
2db0c8308be33c992bfe97fdec887f200fbfe01d

SHA256
a932873368bb97f8f52d4c7b2f0bae9723716ec13da72ee95cdde7acd6cebb65

SHA512
269877ffc6ee34d16043d51f34c1fe237d025ec6a793d44184a5ec492ec400df73379db9ddf90827248caa67c0a6a1fc3f839af4191c234dbd64f98c95fee5cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\ktab.exe

Filesize
1.1MB

MD5
d3e0a4aab6040a00916a1ed6e5d8e3f2

SHA1
89fd502cac91a56adfd88472f4962f5b39414ad9

SHA256
257abc1c56c437703ec451e7bac1b13e5f356c4fc00e0e04d5bca468cb5de46a

SHA512
6f174c5f1c67bf6a654b13fe2c3c04472995bc79d7ec16d73d38e714495601ec6b22aba3e216a42d4caa876c65572aa512a9fc90a0d8a2e8738d53a1a9a0e12f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe

Filesize
1.1MB

MD5
fb7ce85084a2be44d2bea0789018e4f6

SHA1
1177ed333986f3a4d3a687edf4e45aa09583f4ff

SHA256
cb0b6f87758f5d9c702b7bf05f3b2b0554c77813655a2881c86d1a82d1c058b3

SHA512
b051cbcbd4ea3a313115ce344da71a4ede37725de999af48fedd240f43c44b8780d1872421b864b465cb2d74e58721fdae01aab0ec04bb071a4e198b925d3cbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\orbd.exe

Filesize
1.1MB

MD5
075d6a3d6918d60cdaae43e1b2035413

SHA1
ee786062a71ff1f02e7789b325c05e2398f226f9

SHA256
88a06d65294c4b898161d7ce8f5f836265909a8c5893975e2ced86b00f833ae7

SHA512
c70a239ae60f8f781603c5402f04a28e7739568e2ee1746af99f00661d699aff8574e1adfd60a0c698c56a1449c0413ed714e0a0f7b4ecb58ecaaa6498a9bbdc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
1729964e8f6281f789f0edfde329a7bf

SHA1
799d269ec1be8c7a4958e8ac1a5ac1a68fb25af4

SHA256
80ed754977903a66312aecada023fbad5d127a0602872fb32ae51f8f2d49d825

SHA512
e96c239e17e5277eb768f39bd554d63eb3994af5b9f07a29e5faff78076be85ad47641c7710412acb6d5ffd465eb10313040bdfae3721006067444ad502d6217

Download Submit
C:\Users\Public\Foyxgvfa.url

Filesize
104B

MD5
4236917f256e0153629c521f3ab5deec

SHA1
491cbb5ff1e61f58ec65323d8fa834b8d82e701c

SHA256
2c871c69b89b68790e9f7380c700a511aa9960abc6f1af112c8e8bb4e2b6b1b2

SHA512
683050af4f4a5ff00b1cb0fdbf1a8cece64b96b3cce30573a0de3b4da15fb67c4c1513a815ae045f8fa310022ca31179d3c1ef6a29c71a0f5279cb148457b12c

Download Submit
C:\Users\Public\Libraries\Foyxgvfa

Filesize
1.6MB

MD5
a87f2c7be53c69bdf5071091d14efe6d

SHA1
99aa43b15a01e2c980392e3b70ecfdda9bac2922

SHA256
044aed9b4930ef71a7dd78301fdb45d52bddc600991ba39f1070988a6cf65c06

SHA512
a965a4dfaeefaf685cf42a0394230ed7e0538deae91dd9a982da0eec9bb2a1cce582f2f1d4800814d5760393dd097589f52df0f55a79747ab4f05ee3fa671e95

Download Submit
C:\Users\Public\Libraries\Foyxgvfa.PIF

Filesize
1.1MB

MD5
56f9b0f1c77116f27f527100ab5d8e49

SHA1
0b0c645cae7af33e778b39a41e8d71900ddf67b6

SHA256
6fe4c7d5e12571b9be82f42a4dcba7a225e756e9f043539a6278ef0f2c37b15e

SHA512
d2249f1c0c05975d5edce264b6ff2a3fc4fd321c26f6205c89f3fa02b80c3ec4728b616599f5053bd82089807fa7599032a3aae6d3df3f7b010d32907e1953d0

Download Submit
C:\Users\Public\Libraries\afvgxyoF.pif

Filesize
171KB

MD5
22331abcc9472cc9dc6f37faf333aa2c

SHA1
2a001c30ba79a19ceaf6a09c3567c70311760aa4

SHA256
bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

SHA512
c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

Download Submit
C:\Users\Public\Libraries\afvgxyoF2.cmd

Filesize
8KB

MD5
6ad61a25537c0e75e1bd8bbfb28dd873

SHA1
1b33cf823e76b7348bfc8343381c20f924e1bf82

SHA256
aece757ce52fc1786ec935507955e73a3559355f7c1d6a7b5bff495f9bd83aa2

SHA512
79b8244268dcc77a1e3be559955f207577f9450d71bbc3b2eb4dd7e9a1961543f3a4be124ed5f6e7bf8ec8c2e6ce08f5ecf82faa3808d5ad2ccc8808e8dadb8a

Download Submit
memory/432-523-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/432-415-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/540-739-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/540-536-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1040-513-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1040-491-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1160-727-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1160-724-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1184-636-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1184-853-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1596-676-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1596-854-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/1660-31-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-41-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-1-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-2-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-5-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1660-4-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1660-7-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-10-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-13-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-8-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-18-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-26-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-37-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-56-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-66-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-65-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-63-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-9-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-11-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-64-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-62-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-12-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-14-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-59-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-52-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-15-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-51-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-50-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-47-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-44-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-43-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-42-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-61-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-60-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-16-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-17-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-40-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-19-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-20-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-21-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-58-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-39-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-38-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-57-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-55-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-54-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-22-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-23-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-24-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-25-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-27-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-28-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-29-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-30-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-45-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-46-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-0-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1660-32-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-33-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-48-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-49-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-34-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-35-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-53-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/1660-36-0x0000000002D50000-0x0000000003D50000-memory.dmp

Filesize
16.0MB

Download
memory/2012-635-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2012-480-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2288-964-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2288-773-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2672-459-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2672-578-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2764-965-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2764-793-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3096-956-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3096-738-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3196-524-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3196-728-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/3212-961-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3212-751-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3604-957-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3604-740-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3640-608-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3640-847-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/3664-468-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/3696-551-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3696-750-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/3716-555-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/3716-447-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4084-792-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4084-579-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4084-960-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4152-501-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4152-723-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/4568-706-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4568-861-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4584-556-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4584-770-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4872-528-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4872-481-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download