99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Size

1.7MB
MD5

90b4872a4e6b13ebb2b31a93fef9784d
SHA1

3a73acf010ab915cff9a502949a735f833fc1ca8
SHA256

99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1
SHA512

43c293ec7db884896a896a292030043f966a7d904fef6f41b94d910ff952e3927f78e075ab8e822c51ad59ae510207921bffeb5e76848f3807b4f43682a8129c
SSDEEP

24576:eWd7S8NK3oYpkTcDvebZI7LrS/85RkVt7jCSkQ/7Gb8NLEbeZ:eKxNupkTcKb4rSUfkVFjLkQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

pid	Process
2916	alg.exe
1508	DiagnosticsHub.StandardCollector.Service.exe
2648	MicrosoftEdgeUpdate.exe
2332	MicrosoftEdgeUpdate.exe
1860	fxssvc.exe
2084	elevation_service.exe
2200	elevation_service.exe
3480	maintenanceservice.exe
3824	msdtc.exe
4264	OSE.EXE
2000	PerceptionSimulationService.exe
888	perfhost.exe
3396	locator.exe
4616	SensorDataService.exe
2272	snmptrap.exe
2096	spectrum.exe
2868	ssh-agent.exe
4064	TieringEngineService.exe
4324	AgentService.exe
1460	vds.exe
3068	vssvc.exe
964	wbengine.exe
4048	WmiApSrv.exe
4800	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c52ae84fe1dbe0c8.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\System32\vds.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\locator.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99609\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c0258e7db81db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008d6c65e8db81db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ead1b0e9db81db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026c540e9db81db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4f306e7db81db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f10ace9db81db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9bacde6db81db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000316bfde6db81db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbb568e7db81db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4900	javaws.exe
4900	javaws.exe
4496	jp2launcher.exe
4496	jp2launcher.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeAuditPrivilege	1860	fxssvc.exe
Token: SeRestorePrivilege	4064	TieringEngineService.exe
Token: SeManageVolumePrivilege	4064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4324	AgentService.exe
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeBackupPrivilege	964	wbengine.exe
Token: SeRestorePrivilege	964	wbengine.exe
Token: SeSecurityPrivilege	964	wbengine.exe
Token: 33	4800	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4800	SearchIndexer.exe
Token: SeDebugPrivilege	452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
Token: SeDebugPrivilege	2916	alg.exe
Token: SeDebugPrivilege	2916	alg.exe
Token: SeDebugPrivilege	2916	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
4496	jp2launcher.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 4900	452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe	83
PID 452 wrote to memory of 4900	452	99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe	83
PID 4900 wrote to memory of 4496	4900	javaws.exe	85
PID 4900 wrote to memory of 4496	4900	javaws.exe	85
PID 2648 wrote to memory of 2332	2648	MicrosoftEdgeUpdate.exe	87
PID 2648 wrote to memory of 2332	2648	MicrosoftEdgeUpdate.exe	87
PID 2648 wrote to memory of 2332	2648	MicrosoftEdgeUpdate.exe	87
PID 4800 wrote to memory of 3480	4800	SearchIndexer.exe	112
PID 4800 wrote to memory of 3480	4800	SearchIndexer.exe	112
PID 4800 wrote to memory of 2656	4800	SearchIndexer.exe	113
PID 4800 wrote to memory of 2656	4800	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe
"C:\Users\Admin\AppData\Local\Temp\99594b7748c73996557829905a9f6c206614edd8e5a29870e9ac5695863a28f1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:452
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1508

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1700

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2200

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3480

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3824

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:888

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3488

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3480
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
1.3MB

MD5
81061fe273534a718ee484f4965244bb

SHA1
ed030142c55b0f133a76bda9d6bece02918d5ced

SHA256
a779f9aebeb9185b0bd33c1b4d237e21bb5ad518f5d6341a8a9e3ec168227291

SHA512
77d24aff4eaa2a91819185427bfae21f8eac35448eb50bbdb2a9259cd3b9a69ee666429fc029dfeb4f394855574b2741564820f401f181e8b19a9cfa661f58c5

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bfd246d3d02120a460f4d9aaedfc8f71

SHA1
8865e9fc2944b9920ace4e4a887a18093b900ff0

SHA256
99e1da627b5769ceecc42e2f0b72809133f76ff49985d1ed5da011758787d828

SHA512
fc854b38c0a13874f5a93511873faaee66ed99578591961859907e78a1ddcf9530429787512702a40ce94e96d2762a1c6b84e621bddb109956e9033211a7613b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b9c6f9ba9ed5e3eed7c55db6dc6fbe2d

SHA1
526174e8ac78fc1e9c2de3d234acd24582aa51c4

SHA256
5cd24237d82cf89a3ff9da8af621dfe5a35b577808bfafb9916f3469a2fda5c7

SHA512
13c5932444463e2aeb6c49de5826f9c00adacf81cbb9bc8701601e8ccb6d88de523a77d8aca7a8f05ff43f1fa26d6e49e765cc21124ec51537d4593682d9c441

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
4a4e4c05e801a83c314916fcb39dd626

SHA1
b174245f578545f1585f3e0e384d6f3e4f85ed83

SHA256
e59d02be970e4c9ecf402173467cccc4585ff53ab32df78e27bde26ec8e2b9cc

SHA512
ba5c538c26b8078fb97c3fa1f8a063fd2b0828b66d92a7b8f2cdfbca2886f1c393b9cc53ee8b5f757d85e30eab4b0d1c40789fdae3f1d4f9d09b25242ab2c389

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ea778466481d487982e1f44c665c7dca

SHA1
bc69cee213ecebe79b0b79e3fb9fb878e28f48c8

SHA256
bd5e3361243ccf646979ce234e5e2dc4897fd682704dc8f84ebfbb79e2f65cf1

SHA512
93dc4148d70e6449dd0c9bdb5e190c94f6736df641b29910bc97f898b0667dc2edefbe150dd8af3a24a72596a921d6016a10b28809330bc98c19dc63de6b3684

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a5e6f4e8ca257b9930b9c7b1f32318f6

SHA1
6acb646febd50963fcc1142c2918c4a1fc1ec4a7

SHA256
c03121951c7e32eef337b98ec4c784241712bdd2f1d1bc908a8b7ac2e8b990a3

SHA512
134bc9a1ff8bb37d8e39d541fad0b89afe048376eda0991e4db6c412de85ded84aaa0c5c22bbcc4246a8a41e0a81a215c1f566e0270b0c09165e96aa263eeb26

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
84ce1100c9c366c106390b0edad23ee7

SHA1
66022f0b7c371395d6298cab682410ea0a73fb4b

SHA256
07e0fcc0533bbb8677703bd7ed65980d917543a57d6e169ae2374eeb45f73308

SHA512
9c003365204b1509434753eb1e7f973a595827663d5e72a62639912f20813cb7284bea5b88dc32c828f8719b5c3693e3792d1de6d8b9ce947a23f7a0af957bf5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
42029cb477fd8e7d80a281e8305d1bc9

SHA1
47e4d063b06d564cc5f03508106c36f78fb14e04

SHA256
809e994edf8833c47df5ae5acad9c4eddc728517f5c3229ecd1b5cb541e93526

SHA512
5b8db2287004415861e88f47fcda17c284918b9d8c6c48bda045f54bf22756219678318b1129f0d1d6a301e065d0aaf096813e42936356254ec344d3d67acfea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
66e8f236f7477e2aa8fa91e851d389ad

SHA1
12770fd8079e3ba06d53e3693315a9d330cc47cc

SHA256
822c7836638abbbd802f9cb503f592582fa6b3135ff6d48a833ce444532975ce

SHA512
29d9abf9a6e0cbb672d5a1329b0d4a5cbbc9bcf54265a238ed1cb4c9f501909e160dfdf745acfe4274468c24ea13380fcc8ddb87109276f4333b139c9012c060

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
1b7a5a49784c79769824fa4e8597ab27

SHA1
a12f20533994e7dff9da2de9519b0491366fd313

SHA256
ad5c668f40e48bbafe9d64e99d27c0b4b94a99920fa60a72e58d4992f5ef7a6b

SHA512
e0fdbc098c89974cdeefe14c16f4e8f3fb0c0c957dbee0729bb24d7fe92e292c7ab61aee81f4683f80f22021bca04cca3dd2a74ade687f7193fe7d7dad857047

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
900dc13ad4e1a8df180f3ce04419cd41

SHA1
aa9581f1cc4344770f78a838ffee7c707ae69816

SHA256
3841a7405a13a58705db879dda501d14dc0f17f4f4600cee278b0d3846c70e4f

SHA512
85eef84c9b03325d24f813cb26ba87029a952baba7e57b255fad6338a08cb1ec4cf4eb8faea9ddbac184c549a7d897e0be64c50e94fc38bfab81323c64194ef6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fc85e4543c736900723edbefefde7137

SHA1
cd71b5a55efa1f5b0b02ac4e0b74bb5598166f94

SHA256
f1143ab918331f97487be628a581725d7a45d9668db667dcf6fc5ef811a9d4f6

SHA512
7d6536e010d870289db3298731a80dc7b6ce0147325a7fb4d70a385ae6113f10c0d1e6b4ac008d86316ebc9bba01cbed5387fb16bcdacff5b11323242ce446eb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ac9b0c5fa16d67327ac4720322ccf159

SHA1
24cc6f2b6d2a695407a56a3951ea80b7fecc1b24

SHA256
836b3a410d6cabe949741c3d17b5a50c0fcfee4ef7a820cbd9252bdcd605126c

SHA512
fa08980773bfbe260b35340304a1fd5b262a69ce4e958708f31d7a238969eafe263795ecc927d702b97cc9b95f0495fbcf81c5a436beef7a13ccaf34818ed1e3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
875851899734914fd04fba654eb6701f

SHA1
5dca66f002625b23743580669695d82b3afae85a

SHA256
b8ac23975900fb5b3a079395c6e2d52e1c85e3c5a79269be7efeb38803ea5974

SHA512
cbdcdb4a54f99f68c6eb19f98ddd4b4173b949eff4c190b16c157d6d5e2a2d838066c5250d2406186f3ad9789ea5107137ad04760c0a2c85418697d9562c4d88

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
d8c08e70b9649742a6059ba50ba8ac14

SHA1
e0a6eb85bbe609eff6762bc1f4405efebe4ea5a5

SHA256
1aad1f203928f1700c02d8e36caf90639cd88b1a635113d97af42d3dcbaa36af

SHA512
40b9a6557009520793b4528be33ad8e68b6c5813701244f242eabc941dda143cc2e819baa024ae5ac12437dd0684fad93dd18f2672da6048028b019b55411180

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
b758aa5e4db43fe5195b26cf2a5299f0

SHA1
7227e5c81478fc9c6ddb7b1b4d1beb2e2fae90f5

SHA256
6d479b7b0e303e4cad59e0c3d2bfe4d2e64b59abdabcb3452a26187f5a434281

SHA512
27421d02bb5bb5d1649c07026e567c23babff1dae0b523b417843fa25581afa8fb4803d8823d5446b17a891a025a8cdaab2e6e7cb6270d7eb46e07281a1506fc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
be8076248a87fc9a60cc9128a9e12694

SHA1
94f5c21e0de22964ca8f74c6a50fd596e0b11cd1

SHA256
81301189ac27967dd39c3f8a733426a87d36c2e01b9a7677f859b242900facdd

SHA512
e340c7f1adbdae8ae0d939e8500654fa5153d606bd93cdb8064edcfebee23b39c8d5f1fd45db23fec5c1dd2c8bc182ba322aeb3c7fec181d202cf149ae2898f3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8749ca028220a7f3d45e0f6810699889

SHA1
11752441c55471fa52978e278bdb1bd35eacbc96

SHA256
4cd051f99f7745b0c26be13e824934327c55be2c5061301788c1dcf16de884fa

SHA512
05204f15c080f9e68cb010679ef86470d911c5230e254cdf7197acfd8c7155efef27b5b327528ffdd234c5b7af84edcc01b8f9573782ced6e8262ca745177fab

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8c3fb7b2ff44aafa9e7a8b9530333e9a

SHA1
df53be8735b032ca6719a1274d8cf40d10f6fdf3

SHA256
8db2f0c534379fce7800154e359959ff16c42195f3a94c11af15887f9a84ad7a

SHA512
041e7e49f624ceb797b8640075956d25316da692a0c46d746bbe0fe3467d9290e2068399563e8bf8b96984c61d33642e83b369843fdb74634204c4b5eb882ed8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ddda93f740af8121b867d176c98f0f87

SHA1
68ba325639aeb0c10a4be95ef21b31dc98c019ce

SHA256
af7a84c9a2a87fc62f9b3990813e26c0c28e724972fd69a139f6d24191a340d7

SHA512
db4e92251d4aa323991716082ea6cc9e333b47ad46e3ddaadd09a571502015b451f7032e5cc75bb866fa1bec5260eec958668749ad5581deedb39da914dc353c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4f7658c07decc098e812dbe5c8ca8ce0

SHA1
4e0e4f70b1302b146e3a4f937a78eb7fbf41ee83

SHA256
53748c53dc4f66e253743fe8ad6a13b657b882e184c9b08e4b43268fc0b8b223

SHA512
421fc58f2da62a5778644e7368fbeabd5278bdb74ec8ebb70582e24591e4df6b295e271e054f7db0f189708c01c81a827e0b04d65132f02d91a7873b09b1dea3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
8840a168e8342a1985b334780021b886

SHA1
abdb02bde8ffb91b9ab7fade5484c68b9a226421

SHA256
ea69ae6fa991d09a9a195c44903b92200338e83b79b5ab1dec2572754c4c230c

SHA512
7d950e55e725d968f50769ef8336e82b923102f28619a5f0e7e6cb529fe07969f88e97778010a1e1fb7ba4704bbeabb2697c265613744b84dfcfd74c7e196bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3c267c5b2b2487d333bea37968572e93

SHA1
fb0bb4cba751146a5c294eaa0b909ba81bbf9ebf

SHA256
aeb628bc691140909ae6aec411ef6f09dd654badc556311ae4523a7524257243

SHA512
860e71933866f7f5e7940a9c6eacff4c04cdba61f76200ec52f70a8aff5d3134c434672569140dcc85b1dca9b2a189b323120cad610259dbb89ba18415aa3df2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
dbb6c26c103277592ec6191450963d84

SHA1
70358c720624bcba52689dcd6b4f1d0dd429b7d1

SHA256
41b540eb596e09fd1c2626d80ac3b6936197ae4d9cd871d19f90dccba91696bb

SHA512
16965f6f693b666b585f681f2b2b552ce31f2b3a3317ca626fef33d84d05371a4f64cf836f7b3f314ed150fa4f2ac22cc49800ea8aed41d7a94fd6439bf95487

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
69d7282c4b498e608c2ba5a5218aba16

SHA1
a15ab3791a5fd1b671b4203d98fd206e74912900

SHA256
aea39799874d31862843a8ba13dd7b8f69c90b690b3fd33697e4c1a5690a349a

SHA512
0a15a90ab4fa29467ce9d0dab0804d1dcd7a80f6c863a3618791e272286c9819927470990452c25de0a4a0e0cc8c8408d085c2bd259b63d222f0760dbee6e53a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e16320ce5721c841304c909a68e8b525

SHA1
286740d0bebae4284a93227caa820bfcdc767aa4

SHA256
76b763429af603d2c22409ea04d5bd7957d99fd38757050a162f233761a8a36a

SHA512
e3622a6eb103440b8fb396f7b29acb40cbf50092f9225476b152beacb6b30c519790e526aed44612060d95e062de77c1ace38a3a87879082b1a11dacd7af6fe9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d074e3227512728aad553144f1a442c5

SHA1
0917476e4a88a07369d7725138f88856d257f465

SHA256
054971b8cb4137b01889938538f66c699409c528da16e98cd66cc59e954b98ab

SHA512
9a5bd512edf1b38f5f786c6a76fab04e4dbc6fa39a7217de74ad17158730af6bb87a5d14e2fd705bef5e5a09a83d641f4402f6e3dd7e2697065a9fe41bcd6340

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
f1845ef2d16e56e223b828c0bf8b6bc7

SHA1
f4ba0e3dbff6513b3aecd59de7b587f8a562a248

SHA256
d1bd2ae046404dcbfc68ec1939acd5df72a8d8419102dd5f3fd740a7f55fbfaa

SHA512
89f4162db7759a5c27a081a5a91835c8b21b34dc04c9c4b57ed834b3b3ab725e3e519123167b8c40457d5e486b976c3603c2ad66ad01242ea1321116907daa50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
4c4c89fed4bf3f4e8f9edf6c2f8f9d93

SHA1
9dcf616322e3b2dbb623ca21c5d645567dbab046

SHA256
35592018890649b7eafefd34d1b58c37e8ae0cd2be8c2b2b05c06b0a9ac7ce4e

SHA512
5cd5f3c1d4152e66bf0391e3a6588ab98359df4b7727806bcd9882fe6eebf72e24876bbedb4db56a6fa294b6a9c665800e87c7e4e6b54a095affdc07b0b3d12b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
68a7d89bad68ac0ca551c554df1d8aec

SHA1
44a16b76195d2e3048284b126c3c8a5054d80d9f

SHA256
73bc7ade07c3a54aba3a68d585033be077969c48804ca45b2956adca3195493b

SHA512
ab1a968ef4d0aa51becf370911f445607db1dab06c16941d49cf33cba09e7bf4f3e35cec0a818c982363c48b161993c9f4826af4f393b98a6179522ee473b6df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
274f7903c6dd068a453703f6ca6e5d46

SHA1
d0063efd20ba7ca657f752a6f2fae8b98a82bc7c

SHA256
2d5ffd8bbfd16850ea0af2961aa0d0bd611085b1452e0aeca1933582d6e19784

SHA512
fda07bf29eeabcd630c897ff40aef5b6a96d36ecece76960324bced64c24169d28e61dbe7009de8b8ced9edc9caa4e6cc8c410152a1a42425b2bfdcd617b52c3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e091414b4cc7ff689744e3230def72b4

SHA1
211267d5d83d6d3352cfa5aa3691d7a049345c0c

SHA256
61bf8cc7fb164225ae1906b63f99423446334da60566610f7582e0cdee9a6df1

SHA512
908aa64bddb4c317fcf2a9d06f08cbeb2f483b1c3b4649864f362c73d90b24678479f5d3a174e4e25f97879905b05311903b5be52ead57627060d9be5fc8d423

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
73cf0998221fded0e96d2f9b17af9d74

SHA1
b1675ffd58483a4e107f80cf8082ec52dd95c3a3

SHA256
dcf695b2da3313565249e77afc6f7dab7889ab10bf7b6a512b7e93bf8d5d788f

SHA512
177511a2d8d2d46314aad8fe2584da41d58036e89857534788459dd9f1eeda8e063e9b7bfa5f5d5a9ae8bd374dc05c9a0bd6f319c515cd374625c9de791109f7

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
374KB

MD5
c5128e73ef760dcce5db9137f4ca4c82

SHA1
bf8235336d0b0fe77c2640487ac6880cb89f2a9b

SHA256
1c8acb97b9ce177f7a88e9c4ea15ea145b1a3af84af9b6e8fca2bc6e11c9886e

SHA512
ed0d06659bf4d7632afa175365d3b557411dda92256d57c4e7dc0c5e0e1a2c374b8f0b0f2a51b51e2ac6ee929e38bce5611ffe208f85cad53773b05ddab86d2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
896B

MD5
987a852a7ddcdbbd493e09d658d59943

SHA1
291f77433135334bd020ba53cc440b5d8ef81e3d

SHA256
94620d287968d938f6883b815dd0529ad1a471d38728a96202867fe76f26e098

SHA512
396d32cddb0b6d86395cc05423805ae69ab814c3e9f927cadce2600cfd917fe5e3853c31dddae52d1c6ba967577f276c8dd90cc2d7c5be5c071fc5facd037187

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
f47403fc5f6534d1eb5e6a4088c86d84

SHA1
ed2116d28be10439a9f35145a21535ecfba196f5

SHA256
ec77ef8b1cbf32edf02950406ca4fcb7edcef00bf498b1a714d734363881b97a

SHA512
937af202eedc100d0cd146554cbd2a98c580210ece2f0e92a1f7d6d1dfc49cd9f0e47867e707fb6e57725ae62210d38af2df25062ac838e3ac42b3b4c37ec90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
b5f6eec2911357d46892f3f121c1046b

SHA1
afe00726bd09d7cff94e5f75a3aea3e8f2aa3c1e

SHA256
8972953a9648a2d883818917d7a503b7f5e96b2d0d7ad36af61866b541254347

SHA512
4ae4c5966d891c1fdb0c422dbe61ea092d66209d336cba63fcb440419711e7df105c97071b7543c63f6dd61bd346d4e72c0cb4831849ffa8b502fd1a02199fff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
8847a78511c615ff2804650801d33af5

SHA1
2210caa9597fddb57f910bb51a59a5d66ac966d8

SHA256
f3d2d697ad561e5a0dcd5b61a4c59ea044797acd643d79e3b26af1e6291f64d5

SHA512
3d0806d6921b6f3646e2b90f497c4b8f74725c363c5a0ccba2d957340c3e5135bf3fa56ae2dcaa7671c7af45d59e9709c5bb17f8faf77389069119005f6e2e3d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
130b6c8ca1d83dd23b1f362944ffff63

SHA1
8764c93eb32f34314fb31c5280cfcbe631093bee

SHA256
5a445d45f9c49f8e6e4cb5e60cbc85f1ca542f4486ff16cd66160350a8cccbc7

SHA512
305c0901f0c43bc4abc6e43176495b09bacaae5bdf9e3786499bdfc0813eab9e82c880ce2589b202bc987f6584bd82846370878217ee56b4e155c02132f251eb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
1a0f91f09aefc88e2ed88da10a4095c8

SHA1
bfd89ad68b1ac918efb2f43d0219934cc72b453d

SHA256
8c13e01756cdd25de5f57b7177232f43d15cd5680bdff951443772daaecea3c7

SHA512
7983982e3d1375ba70b4667b6166cfd92cad929b76d92372481a07ce93b9e23829edf51d95e94904a58c12f86b74e998e66ada255ec8f6477d0612055e4a4f87

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
da55a794fc03b5ed860c474ba2ac6c1b

SHA1
3b6b6d36594db5f072fad5aeca40bfcf9bb57c84

SHA256
665d5210ced3e5ac535913d5b301f55b8aeff40603aefa9549d450c37cae0946

SHA512
bc4c978fa4197b197656362da861bb7379bee5594db03117df91cb2091ad45c161141ad1718bbdc3655651e93090b0101faacf8b1812c70d7adb0347bd4c78cc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
69cd1b21e379cc61f42ae4350328a407

SHA1
a09579738a17065d35f0df78724f93ce39549941

SHA256
1e7eddcd0f662c9da879dea49cebdb222ffd6719e73e9df10d6b23bee835f8d5

SHA512
31594af8490db6e52cbf6ee90301c690f405e9e50c766bd99c82550cfb5f89848c386d7f277c38785f678e27d64590aaaf46aff2abecdbc6f0a0c093fbe00429

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6616d3d11fb61d80d81c6680957031d8

SHA1
73cbf1b5b01a543a46d8ceb025177ed0fd664795

SHA256
76755e73978ded437c71613d49a54d119f7ab57f9e23b3f99ff763c155904a0a

SHA512
f3c6240927853fcb584ae1b645b040752820639d8b0fd524a47433c8ad96ae9e6dbf4c090518a01359e3d474781891cffcd7154560d2392315d69af480ee26e9

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
ca78007636177e2183d81c72499b9d6a

SHA1
7b25393d4c3e01e92b4b4e0afc98deed4691a740

SHA256
547cafc7db6194ed314e443335719c70e81bf6d151fa5267f957330ee202303d

SHA512
c3bec10c04a06ee2a067bf1404373a08eea4a1f76a236e7a361c42628afc046db61f60536b6ae8cd49003105f3c24a4474121c5abb255f97753f772cdbfb39fe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f93fab3e842011991d94cccf4cc9c2f1

SHA1
81e27304a96d9a6616f4c23abf59f6a65715cd18

SHA256
d84f55c264ca635eaf4cd4c35fc29e69e4da763195d6334d9009ea91eae8abd6

SHA512
85b43f4334279e9cfb8085ed508b1890ed2bb48100206da8362b9bc6dc216d37505b2ab815cb2024075f6d054b347dbbc2d7cc30cb0f9402d9afdd555eee7ca8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8c983c38fee9e2c0622c879463e33bc1

SHA1
b2dd22ec9bdaf46c984cf4241a40a1ea8319cea5

SHA256
f0aa5f24b437daa72bea518b5c3652ae6b5e188d4dfbe9112f433eb257af1125

SHA512
ed7f722406ea65c589921f6026b17b33bc528c56065e96dc354b4d2ba3358397157efe6e9f1b2f700ed3007cf9223281baa8bf2502ab75c6164739aa2b190d0d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
12a58e743bfdf93b7dd99a95d08b6657

SHA1
e9d886dbbaad57df6bc9f6ae24aee95f627cab77

SHA256
f5e0e1114328ba7a74a544ea16444981e19a7a0207c29edc50170ecd7bf3ad2d

SHA512
d793b07cb97efd09efdaf3e5513fa53ee5e1e0737ea27cd5c8e34599352be3f120e40db6e0aa65d2a83259da17cdbde00b538f4dbed2190783935ff697097fc5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
416dde3fd80b6e4d80a4f83ac6d0e62b

SHA1
bdfc283bf9e60d9312f878162956fc533f558ced

SHA256
4018c9b32957970a7f977e5a5b6771c5aa0d944b20c3b4cee43d03a68f006f6e

SHA512
981bedf73742461b9b50c2fc531d97e956e5ec88b85c7f68f67afe2afdd6ae9700622c016d4b44a0b4fd5da1b5c079ec659066e985a6cb8d70e24d34e639496e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b7b400dc97676dd6b313fb3b9cc3d07d

SHA1
b5e965a5b5d17f3dec149f16c74c869da01864c1

SHA256
1e81407732d8d319a21ab6b09f8bb688336346b81ca3331c5c9171cdd980f11f

SHA512
c21ec53ebe8c95ab29f5dbfa3d15fefbda4ff0fdca2e74ffcdf4e2c6f2b73b25494985bae693d02a0c88e721ca4fd6de9a3df3c3842cf8ae45b2f37df384c45a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
32755cfc4016a21e9c70ee5909757313

SHA1
14034c07fc7c9aa33c0d9a6808097a48d9978c0f

SHA256
8f409b9ef0c737cb194e71072e9341083280da9eb12861e374a0b9038a28dc28

SHA512
45ee54c422f8d43e71f36072f36d559e847b09c7660966d75958f137051948e08f37635a3165c9bf36e4e3c0add3482d37c4804fa4015d0a57dc211315fc8523

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
53238bd009cc71cf3d4f00109dddbcb1

SHA1
c0cb619a9610face569640bec5a0c32021d40524

SHA256
4549824a5cce61b8e7be33c5323a8330637c39d273e26c82634f5449ec7a0313

SHA512
f82ed36bb646238caf60f3eeda491876b3d244115af934e37731e88d2a7eef56be94966c5977aa8927038735d9b79a5d665d64ec738252d5f8a7464c79c2c6f6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fe98b038d532b60ff4f50891eb045f61

SHA1
b64c02fd197ee416cc4e467f68602d71c5768211

SHA256
ffe18f043366e0312ac2b52a247fd10db8a4da1ed933f9948a6b4b5a3c297bc4

SHA512
a35ebb4f6ed90e96b3f8a11901d6a851bb5c1e100879ac12d753622693194c169a887c8dc04624c61f266b26e25edbe76df53a3053f666abcd53855d287ca34f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
87feb5b98797481881af79fd35477775

SHA1
8448e8d8a971cfa039b16a347550c52eae34129e

SHA256
f2f9c401041f5d6b27b0a255c2d5755b806016686a6563ea9a2fbead6576e8f6

SHA512
e8abacedc74ca73aaa91f0b8b2bec8946aa4e1cd7ae3188957c18bf35eb48652c5e9a5f55f83d2b1edf176918c17460b15a4b8f58903a66fca9490bf944a0636

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
9904ed264dabbbd4b11ab8e002e5f689

SHA1
72e2284ec0be65b2be2a72a39510bd4fafd7f08c

SHA256
ef853feccb12e6ce6432618b8da99f80ef55d611ccb89a1d1f03348803383b3b

SHA512
06e2461bb090114d23f9eaff7c3c9ba46dd79d84ea13b928da402488aa516203c87dbac0393ff167279377aa64a28728b08f085760b06f9c425e0d118f0f5614

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a30b47201bb3b50cdca98a247f0ece63

SHA1
146ec4303f7b93b6a51d67ee1bfdd6e35d247864

SHA256
c5f1838c988cf3d8d00a8c21f38f82d718851fd8585f054114114cac4db5837a

SHA512
a7c67a9fe595b143e755d02be4cc4e16b51fda91e987889fe8a812eb8ebea8a55bfcfb87db0777d7caa8bd2a7a0cea3a15969c9f89a1068ddadd19d6c2650574

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ace03c3aeb760d212bb8c88d010117cd

SHA1
02930d16d11dd26c6cdd6f43b03abcaff7d0bfeb

SHA256
2679470f84120d8e86d2e8d78b76b2520b941a0ebacbf2ffb123e6f5ce472042

SHA512
41eff20ee3f046a476ed87e90c36bc4d37ffef42eac8eb11349f1a1fea410c2ee5e4938339b09f382c9b2b146c409ea30c4b7880575c32dd80ae29c5f5502fa7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
c2fbe7055688bddbc38da5e20f833aff

SHA1
fcd998281e0dab5f1b30a573bae7e8a97feaf6d6

SHA256
638fd3091b1e56a65d32e09aed8b3a3a965064a08cb66f424aa364f66642c011

SHA512
f1d3cdd000a2ceec2a1ac365bd051f71b1308f534b2dd9e620dd5b999951981badec4310a4ac78a6e9ec50e10f10f457c18c73877dce5ea1aad0fdc4a3b2c0b3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
5fcedb09092a77459a920e3e6497ddc3

SHA1
97fd6e288136b98e6dd964e5240f29a27df7f47c

SHA256
18b8f0e29dfa9f20b8ced1ff2d3f839bba776d1b5a0d5f84d748b6a4dd53a540

SHA512
a845b9ab713e91b91f53960356358b71f12e9987324ac2a9ca794b93ee0f0db06d23dc8bcacee6b1b769a00995e7dc4562a57d9191eedd93e8bee3a996a0352a

Download Submit
memory/452-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/452-376-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/452-2-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/452-9-0x00000000024B0000-0x0000000002516000-memory.dmp

Filesize
408KB

Download
memory/888-449-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/888-602-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/964-630-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/964-964-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1460-569-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1460-941-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1508-49-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1508-48-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/1508-39-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1860-343-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1860-116-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1860-345-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1860-109-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1860-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2000-587-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2000-430-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2084-505-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2084-258-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2084-155-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2084-127-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2096-871-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2096-506-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2200-354-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2200-525-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2200-377-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2272-494-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2272-806-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2332-96-0x0000000000DF0000-0x0000000000E56000-memory.dmp

Filesize
408KB

Download
memory/2332-91-0x0000000000DF0000-0x0000000000E56000-memory.dmp

Filesize
408KB

Download
memory/2332-104-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2648-58-0x0000000000E00000-0x0000000000E66000-memory.dmp

Filesize
408KB

Download
memory/2648-64-0x0000000000E00000-0x0000000000E66000-memory.dmp

Filesize
408KB

Download
memory/2648-90-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2648-51-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/2868-886-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2868-526-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2916-18-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2916-28-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2916-25-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2916-24-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2916-381-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3068-588-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3068-945-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3396-633-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3396-464-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/3480-378-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3480-387-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3824-544-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3824-398-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4048-981-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4048-634-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4064-905-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4064-539-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4264-414-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4264-568-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4324-564-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4324-545-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4616-653-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4616-944-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4616-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-662-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4800-1030-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download