de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
Size

1.8MB
MD5

19f3bdbc48deba3321b5492aa5f2acfb
SHA1

3b7e6cdb9fb39305651ca943583bce1194904637
SHA256

de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de
SHA512

c131fdd9102a2f32194e52cc82904d3c85e1c138d877e4a795b5e20617d03f19fbcd59cdb677a16fb02085471b1b236d5ae10f01846727bec8ede946fefc83e4
SSDEEP

49152:zM9QPdxwfE7WlFwKAfzuTiDFUFke5UbU62FAQ228QKl:z1PdVQFwKZCFg9qj2FAQL

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
184	alg.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
2216	fxssvc.exe
4684	elevation_service.exe
2020	elevation_service.exe
4900	maintenanceservice.exe
2932	msdtc.exe
3252	OSE.EXE
772	PerceptionSimulationService.exe
4828	perfhost.exe
4536	locator.exe
3560	SensorDataService.exe
4968	snmptrap.exe
2748	spectrum.exe
4344	ssh-agent.exe
1792	TieringEngineService.exe
3060	AgentService.exe
2768	vds.exe
1812	vssvc.exe
3664	wbengine.exe
4624	WmiApSrv.exe
3196	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\locator.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7d2b9ef02b574d51.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\wbengine.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\AgentService.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\spectrum.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\System32\msdtc.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\GoogleCrashHandler.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_ko.dll	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_sk.dll	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_lv.dll	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_hr.dll	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_fr.dll	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\GoogleUpdateOnDemand.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_it.dll	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_ar.dll	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3856.tmp\goopdateres_ur.dll	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a6dff403f93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000108877403f93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063ad9d403f93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5083b413f93da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b10a0403f93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b72a2403f93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008179ad413f93da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe
1424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4612	de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
Token: SeAuditPrivilege	2216	fxssvc.exe
Token: SeRestorePrivilege	1792	TieringEngineService.exe
Token: SeManageVolumePrivilege	1792	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3060	AgentService.exe
Token: SeBackupPrivilege	1812	vssvc.exe
Token: SeRestorePrivilege	1812	vssvc.exe
Token: SeAuditPrivilege	1812	vssvc.exe
Token: SeBackupPrivilege	3664	wbengine.exe
Token: SeRestorePrivilege	3664	wbengine.exe
Token: SeSecurityPrivilege	3664	wbengine.exe
Token: 33	3196	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3196	SearchIndexer.exe
Token: SeDebugPrivilege	184	alg.exe
Token: SeDebugPrivilege	184	alg.exe
Token: SeDebugPrivilege	184	alg.exe
Token: SeDebugPrivilege	1424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 3952	3196	SearchIndexer.exe	113
PID 3196 wrote to memory of 3952	3196	SearchIndexer.exe	113
PID 3196 wrote to memory of 3776	3196	SearchIndexer.exe	115
PID 3196 wrote to memory of 3776	3196	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe
"C:\Users\Admin\AppData\Local\Temp\de1e96328b68ac6d667caac9134355d8f3b428132fdaa9d40b8555dffdf1e4de.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3528

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2020

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4900

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2932

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3560

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2228

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2f203406673e97ec38e3227360245cf7

SHA1
162d49d4354d9b73390d1b9fc244a505e488b96a

SHA256
b68ff9ff2efbe99282860da597456131e71589a809c7ce30d732595ee8ac0c01

SHA512
2e8a3fbf6af84402137df669198773f72669cd8dbabb1575143a3d89f8ec31a810621fd10daea9ae31f432281bface7ea95e2e1241f7e44e5b61e5a95bb80899

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
cb6a8b38cb39b1e6e9021b9df5150cd2

SHA1
80cd32744dc72df2db9fa1841b3799cfe257790f

SHA256
8733744f8bbad73c5dbb6b9b54f62458cacbb1c90f99b8cd1ad55377d9f7d2ab

SHA512
6a38dd946d92e963957129294aceba1ab8b884862b7fb07fdce67e2928ddff1bd1421237dce84fce5da78b78da048108634c07d4745ef2d1497ae160ff17f825

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
82c64a9b30395b8c90b0f02f4beaa432

SHA1
881760573df4780604fb836d1cf9ca10c80ac13d

SHA256
290e13bcdba3845e8af343752bfce033edc7a662229124c717c40d7467ff2adb

SHA512
c73a361aca288c408f93c57d60b88a56579666a73b0ef3b4759238c49793ffb56e132fdb4964499a40036ef05cdd134ee275cb538b378e3703c15e041ccdf386

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bb0cbd0af601fb6860324c8dc980b0ac

SHA1
1b2a40e23cb17ed840ea0801d5bc338eeb77cea7

SHA256
576202f6989a29d2d6b9ddad101c9550d1bc4510822572e11b57fae91b21566c

SHA512
69f2905d658f15779dd0c80052d967ffae7833885914667edb51fb27b90fd41c4ff4a0c7b47c91cc8fb627a9ed50d903f7a62d95aab93d9cf612600149b5018c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
231af6f0d128ab11b6ec72491c7b83bc

SHA1
debfdf4b9d068cb28600fc4313ba2cc5f333e9d6

SHA256
11541fa433871ae804ce622e536ac11890e1de4456cbe9667f20712b8b0b2960

SHA512
02e67a8bb60305b8a1c5dc09a878d19ed376a314958e6b68f664750bd3f90f93249d97b7872c7e512691a75c324483f2e0b0793296bbde9ce63067a3b6007511

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2b752cf8b4ad283e31493980b28d4547

SHA1
8a9d487b4efaf9156bd8dec0af6f0418709aeafe

SHA256
37ec67c03fd4d372498b76b1d2ca3f0f51329afaf0c839469357345481a6f55f

SHA512
fcc91aaf512a4df582dd40b87c3c854590fb2899b50a75fc745f33723d99e3acdf0d0c8c553e9e4190810e22f6950a88e59827841968012854d6ec3e7899ba45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
51f28fd093dd269113e00b92064f30d1

SHA1
5e1f3e0ae5dfd8f52d79cdc4d31fa49a09bfbae4

SHA256
4e70f5626f801c0aac67470a4ea1231982bc6e5cbcaab5fc01e91c041fec1df1

SHA512
8e3b94cbea4abaa4e94c662ee310ac39bedb7b286f465ff7d8e1374e4792875c2dda3babe0daad7f2d68026fd38c7bec36f554713ca0825128758440606f3ddf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a9fa85ae88665bbb9a25ebe3c25c25f7

SHA1
11279ca51011f58959dffc4eb147895ef66d5f71

SHA256
d24ea1af005eaf4e0b45a4598eb5607ab9cf3ac4b79ce034ac49e95bef954fbb

SHA512
dcf4781e22d36f976bf5320eed3bf9167f8f32d17e5340f695a0476c7cc4a7747e7481e6072090f99b7e813fb2e87c07692a50b7cbc970e9b4ac5e714b0ea1f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b3871c90b9d95cdaa73c800da0798292

SHA1
1b87eda2f2df97d4da8e060cbb1caafbd3df0aa7

SHA256
30bc973a1c466b33e5e34a2e35a524c8d8ae961f87aec48858e937bc80b6ed2d

SHA512
15787ad56f0bfee263a6970aea4fbde34a2854e2450fce457e3eb6ecaf22455e14be1cfaa6e822ee747f12c79d68c3e83e1a58987fd040b9b7db19532cfadd78

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c073fc3294c1434486a1fd2b873f54fe

SHA1
cc66553c600f71e5d5f8ef4f0639e6ce1bc76f1c

SHA256
0fdcde4f8a21e27971210e800d6c624122f2f59584a64c661b02add8b52ebbe5

SHA512
72e78fb98ee49b145a5b5693fdabdf6d86f6910d258196bcb64a2130278bef419ddb2a1672d46e6c0131b7cf86dec8b9f1035ade376ade161dc5d96d15924c7f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
241d33803d9e600a8e32b215f8a159b3

SHA1
70b72185e72bac973bf7bb0df16127ae33cbff62

SHA256
7a581da88856e0af9189a0d98473ed674eb0e6d54290eb43663ddb5f153a286c

SHA512
a6b3d576a931afa43926afceb745c77ffbe37a4dbe53f36df0ba41f613b220b2b5e5bd3c36d56b797d2ab633ecbbe71c1172485a41e2bb9af143cc6bf5cfc27f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
17d61277237efae736312531bfa2495c

SHA1
8675b4a20d9bceb1873b54874083261d29caa177

SHA256
844adbf0b7abad827b57c08325d2ee1eb32262eda26dc67a3964abd1379ff835

SHA512
692bb04d90c477800f9b50d39fcdaa8e0e794441f0d58447b31fe6325c62434f0f32226a4fc2e3bf5b1a47c64510ad81273a31b1c8ef30486766e46e01bd1967

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0cbbe0d51b27c3c98b8760e3eba61409

SHA1
5ac0e4ca40cc056a8eaed47bd193d328b0e5108a

SHA256
812beea9f79d6b963a337a7410382842a5d0d7d06d8a4b4754a5aff033c04810

SHA512
e9f9c9e7b357f73f4186ba19def7be638430134ab675c8e2360feb51ac1bde1d3f347a41f66bd725111dd9e84500d26fa3900a4d5794183c39a6956258a3ee2d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
299bafb82150dea5cca61cf5e5056904

SHA1
9a53cbff2d78d8aeb36d2424bc505edf21e2f42a

SHA256
c3de34dc86e4a6bcfc35af892610dedd5c5f51568ec87c5bccf77739bfaea182

SHA512
6d3bb5368e4a38de6b036c9c3818b3392db5d237908ed72a6f5b46078b5c9623134ec2a6b7f94ab1ff6e3702f43687abaa453cec93f955b7b174f771accf23ad

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3ab4e7f3bc86ba5cacd6498c4d93709a

SHA1
6c5abfa6caad06de5bfef28ec6c1176552f48c66

SHA256
4ba5dbf00bc9d25c8767bfe00391fee4afdc481db8ac0c44bdeda0a16d6395a2

SHA512
f9d5d4bded94db7bcfd6cdfcd8e6572ab844676fecd31bc4946596d119537e52bbc5ca9d86f15cf40031a1d3ee9f043209c07d148b2f75e4047e5e665556cb7f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a9e71b10c84ac01bf6599f48d1c104c3

SHA1
168bea4767e7fca8ec5ece8a9425d295dbd52f71

SHA256
129ac7fe9392ccdef7068d5f3bc71ddc4aa2cb80aeda64b342a8c0453a2c2481

SHA512
b60dac317c82d786372eccc228b22d844ea752bc06c0a2a0f5648fd9c1e6cf516aa8ebcea57325abb15517fb2f636161dfe68fb4e3f75914394e5cb43396b07c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
b375e4addeba4cccfed9eef25eb0bc8b

SHA1
e4fd5ccfd8b23a73ea96e27ff50aa1afeace9fb5

SHA256
45f457b57ca9b6e65d75106d5a8478cd41136126d624938088686c42f246dd79

SHA512
cc575902611696b5584b3ba43043cd3d360d0d8e2cad0cc5bd95e2f29e86e1e5f4d3c1f2b965e252ed4bcc88a98f18fdd6670eabf3a4f5bf0f8043fe7e99ce13

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
c53fa10b710a5824726da79ec5e3a81a

SHA1
97835c4513b1f8b35792aa0afe30b30ffe9bc0f7

SHA256
0656e88d5e3692f104035ea2d33bd56b5f7a1db31896a113702b7bf902bdb834

SHA512
de2e4336a0172ad5340942f909718701b4b8bb194eb3565f83aa1ecabce996be4d6ef0b1a7adf0e1059793a3507180774f076a4c36637c451e1eb9b23b8749b3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
15dd1a63169ca87441b3a15268f7a91f

SHA1
77305b81a9dc1f43e5a88178fe7bf6dd9ae7b592

SHA256
04ca150357c1892326fe37e99d38f4985b8423d974068ff23efd106ed1fdbf35

SHA512
d22526c92d1a3e27a707e1b4227d37fca622795d886a810b48498c504cfbdbf23d4ac608e9ba4c04de69e2c8ba8388b8642846cd4d5cb10a1af6deb44025d5fb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3a7217e35a45e05511bf2844a09b57b6

SHA1
81e962f950c10d30a1b07143f2d67634fe13db4e

SHA256
9b37614f1eef58ef292ab6a3cf1945ac04c5693562099ab2efd63683ce383922

SHA512
1dc95d0f2f1a9b9211d86fc719d69c06b71cc4a3525bf303413f715814420c49be38a39d7bcd72c7e6b600a5a28493d59cf9cc12247742370c5dc2cd9121e0ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e3f940c411c99463525f817f786d4e89

SHA1
32fd417338e39bf6288d4642eb4ae160c3fe5543

SHA256
94d7e46b1226e2df81e4860ce0726102146b918440d6d736426781eb7b55dbb8

SHA512
4edbf4a8e9c72194c420bb4da7e299a6d56c4c22d1577780461ea53384fa29fd68ea69a4da8d868ba12747bbe784e2b37148ebe2298bf5ec7ce6c1de07423248

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6898a7bd448be9f18369339f6c3603bc

SHA1
da5d0f48ff05fe1d2783fde29fdfe4eb4c59149d

SHA256
917aefd5df3d2946aa1fcd79f5ebf169913a57468ddee0ce561b0d0574e1d9bf

SHA512
4aa00ffefa67853e591a6425d8894c0aa79f5e3b65dfe59293e9921ecda17e5605ca06235333760c185a2a15fd1cffd5df7a9f642df6747b74a29fbba40fc569

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3d2e2e9de97d42b5bc9c6f8954d088cd

SHA1
8c476dfbd8da33c0d32d4c6424fb585087b591c3

SHA256
1b1e02b5e1a6b6cfa1f35c475b88b4e98b08a912e67559ef5d60098345034c6d

SHA512
431d101619e28d9c7a50d049baf8e7ca21dbc217d5cd1eaf55f698bfd0471983809d2775382c6a8d8904a03c0fc32dcb6ed2f62b1ed5bb29b30dee6b4361ba40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
24d8a6cb40cb481ea3391eea8d881a92

SHA1
b589957a8c51ee5c3db63121ed5b64edd13ae38d

SHA256
2bc8fd7793afaf36ead3dd9aae514d39212d05935e6b742e8da6fb7e147de2bd

SHA512
bc3577c0f5371cb147677f845e232442986ef43cd9b33ca45ee96dda47b427141784c62c621f6760e3e5efe60b14b83832ea9e6a9e76ee653824dab2cefac735

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
04d70d85d88bd035ce6dadfed0a451df

SHA1
f38c7a341e430b4417a31055c8520114f6a62186

SHA256
54e7c0744c1b075c7f73adc9855d771cbeb8af393fcdb6efdca0ac9240e0df7a

SHA512
2104c7e210d6cfba199132009d4c28c7878cfc1d02cd0bc99d4a82dc1d72060a8d64ef4e7bdb5713337456182daad090a69373ad26abcf7ba27c91ce2f840b04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f07aeae732bb1b1b22b864597ad141f1

SHA1
9ef6218b4864b1d8e485deabc61e440e49ce4c49

SHA256
2f5254cc8aac093dc9a0e82a69083a8786f33f390b94f5f535e11c4cd9f5c540

SHA512
0b26fe76e37686acd0ef38f838bbd02f086a89586feee0a382fa0224f3a6679c60327ed3d5a1ff62bf80c6e0829190ca1b06820cda8a23da891da5032071ba43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ae905264a8ba2b8f468036885a7480a6

SHA1
aa50b9c8b1bc7a49411d74efbb5540839287eb63

SHA256
a07884c8c337574567d1cbbc76ed6cc0d3660876d4cb5024cd35c3ec021dcf87

SHA512
872fc139057089a08f618751dce2595c187e4509a6e3d48f3e72f81948c7265602094c35ae9b47def29da2cd493e3deedfcf47e10bc5fffb033c27ca4a470e3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
081a724af90496e7f158328b4b97b78f

SHA1
0923b24ce4b5ba11e568b2a3fbfaa8e628eb58aa

SHA256
87ef57d2721f488d647e655d3c34d829f1c46bad5804535c190b54d99069dece

SHA512
646d7fa497c386f6a52dd70a0089bda5cd7a0ba64a3622b17335c6515d0468574d9149096ac595c2c1e62c66e48b9b02b0e3bb10215d068dc004db5d2191e1d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ad9e4ed497847226eaa0dca2d18b8e50

SHA1
0910c42579fe29d8634f65b8f1b9c02acc9aba09

SHA256
eefeb7b65a8d9f42e61a7cf40819ec9dcd40acebda933bd0e9452a735615c12a

SHA512
692650ea7cd6fd8541c7c1a0cb844384654b173bb80b5598091d1db50f634b8557fc20891b55ef403e8432f1fc70dc1998c07a2336285454a9230fcc74849128

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
120cd598041b8face43192a1e5cae332

SHA1
c32d5447203f547ae53f64391cdb806ffdc5b182

SHA256
115f4f0622dbfa225f7c8df450f43482e9fcdbfc28645ef4e0bd94e760ac7066

SHA512
209963244f13c055481e8ec4ceae9332fdab000fd2edf5e8b413d9982649cd9170f2a7d61706f65a54176b08d12514dd0599d016333d1fc39bed7806e534ca85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
d0ac2633daed6b5b6435c79696b1f09c

SHA1
df123658aa7ed4ac3320a49d0d20c0bfcd0f5a12

SHA256
486657d0742674bfcab13cda4f3ff78da9af85f8090b973ab23fbad6ff1417f9

SHA512
7e9c3d10248eec3575ba83738ed1ef98f96eba51695aa4489bc9f744513989b36fbb74278257800ae2100266ddd0c3d831a03daa958f7dd122f049025e19f54f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
48fe4dd3873d7137f858d623f5131432

SHA1
5fc640d46dde354c00af2df65eaf28d8cb0e6fb5

SHA256
b41130ba606d82731c36713370be47d9c891b36ea2d4578cfcff36b737825a13

SHA512
fabfacedee84bf2d85246b10aa182df82a13ea0437d48074208cb6ab50193840179f7c4caf828fb6141db96b73eafc6bfd9c75664578e33d74d610016215cf6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9b80004fc892e0e9f101e09e6bd442fe

SHA1
eaa65d3237b1b9695b2e7c0752d750ed7050ab27

SHA256
93d183ebc4d42ef2420f5430476723918874dee02628353329685a0f8219bab8

SHA512
1e421ca31898e3a282c8ffacd19627761f4376263dac27310637897a2d1803adede43fefbb21673b7a3782b48587ae83f7e4367d9c8cbd59071021391424f2ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a1dc696395acc3a4789571e8ad2041ec

SHA1
5723d0e07501776af2c2eb5fb736172f6cba9024

SHA256
eddbe11ac6b17058681250b4f8d5f85d65205c53bacc7e8d706adb713d19caf7

SHA512
7d77e6072a4bddc07100d1d89b514592b10c9af8f29409965761ce4ffd0e185444c461ddded47f851496c089f21decc09dc9d9b748dfd17abcffb4cfd753b47d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
26fbac177eacbc6cf413d2d2685846e9

SHA1
44076a774b48ab256d87ceb486904ead9298e4c1

SHA256
888014050e97c57ef91ba81c05f22cdf15581111fa4887b0949b87a29fef58db

SHA512
e12c8992a91e44605e575f8e8cba2674fa47538507e807597df06605907c958b1c6ea9130d29a1497922cbd1487435d3559d9c86b305f1a62bd3255b3e87e504

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
ba548d60cf091f8f2781020c0bd3ac5e

SHA1
d1bfcf97a2f2c4f0997b1c28a667ace21ea6b741

SHA256
4059f216318d5307e34baed1c000d397b767ef966eb5e72691d669a00e4157cf

SHA512
b83635549b75978bef1ec8293d68e0870977f716076f4473c12aafd454e074e85c8468a025e812a2d94be243fd4e2538dd0a5cca01468cc4fac97b99b7e5e224

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
180699684a35d55645fdcbd7e33d8eb6

SHA1
451d5da3f21f75b2bb6d1ae68218a9eb6207ac9e

SHA256
5b7eda9f91abadab2c6b7d73d76a894f0d57e8b7839e4e9263baa82b4e7b4549

SHA512
030d8cbbf267bb536a24878b381c969559a1dc615d5938b1aeeb67205ef6fc3627e3cafeb63af572b19a07acd351eb96b4dfad2be0b63117730f973e0d2edcfa

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9fcb0b70955a2b8bdc22fdad3229e7ce

SHA1
6059e3a42446bc5ccac08f3ec351c71af87c05b4

SHA256
0d7d5a08b9b20cae7f83d82b501dcea10c03edb80aa66cb70ad44c0dc1122981

SHA512
6a47559b747a0438c9a6e6e6fd0988ba27faa1e162abefb1c8b4ea9474937a85ed04684a77dca3da42d5f7f1e4dfa9e579fb52070f850978d1ef1a21c6dd6ca3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b14c3a8ef6504313eedc33b1afd8dba5

SHA1
e1314dad381e00434810ce2a958f12b3a52e83f5

SHA256
a2c2b50549e89db75adbed6b005d1bb6aabe4684e0130031ec6dc2ac7c4b7699

SHA512
1657a0ed9cca556a90780e9f021a3a2ffe0d26c11e9d7380188b546b229a55cf596da8cc5c0c639d82cc1d6c831955775bba436cb8d1062939f51b4986e83b9b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7f0ad0a58c05414abd10c3403a487d44

SHA1
d35c3944f4d5b0a05ff38f381a780c4736fe7307

SHA256
426888f05c7a9f95767457693fdb8b1961a39c01ce5e8f07d86ea0e12f10c200

SHA512
9c6d88a80c4b977737b4ca489e50e404c3eb12fca2e73470e70c22f6710b580410bdf66aaf0a30e2a75e4cf3c90d2767bd7a62a6db6f8067bb48744c403d39ee

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5548f4cb00751300673ec93375dbbb62

SHA1
07e94cc96fc0534cb64513779d7a6efdf107ee79

SHA256
08050c8436fc2d45665b6924b8d361d6fdedc5bcd24955ceb73dd57a8e70d5b1

SHA512
001e653f024d0749b7b323dbb76f1f0a4361664d80c110deb15b2be1aab2ef52e60ea9e162f81c603e638c993cf7a3dbbaabecab040eac81cfee786af846aae5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b531dc36e79556a8375f24e3237ce62f

SHA1
ddf1e23801dd5354d5880a0b0c1db44e8a4da7bc

SHA256
70fbe1a36f588aaa5e80b595ba2433c30092f427e58329ffb8e2890130d44ff1

SHA512
d1dd78b62613d49bd764b0fb52852f3f8c03f596698f6622f184dfa561204ea63f139b797cf48e4d4e6d271f72dbc3855a4afc9741c262e147b5bedb4bfcaab6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
09749c465ec623396528d7ca840f4d13

SHA1
fa1acd0a405cdf00fcf82a1e0cb8faae8999ff50

SHA256
4a582ff7c60017cabe7bda883fddf5e33617c916ba89041f7ef951d53c1acaa5

SHA512
6b7319014c429dcb648e2871cb26ce869253425391d357b3283f06baf370a949c9339839cb764ec44d93a69bc34bd458c0453b8e060d05e50c539a801324f362

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
16ee4d7499fc49ee89ed36e67d5aed08

SHA1
0373daf59771c219ea070bef3eae3dbf14534588

SHA256
156d9e135155614170cdf6d787ac91879769b397ee3b256f9afb9e57b69cc5c0

SHA512
5702f288f9518cef7887069324f8ca0dc4f1f0e556723b533a25c6318ac148955c27317e649ce8d57ab7d018c1db3f2c71bd06f21099d9e78d71db167831bfe4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
28466f0d95e627fa4cbeed038afb61fd

SHA1
d70885013a33c805ce15dbadabb0119ef2896092

SHA256
92ebae8ce92a84b7fb947e6efa3858cb1edb40db4c00cfbaeec04e2726ef2317

SHA512
9cba9acc587f36fae2914d519ae30b0ae8a357de781237b339c3034a85dea7c62d1a23fc44f0f7fe5a43ce6e81087ebd0832245fad7ebd6944c3fd08701c5b35

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
5f364a5aa3e1bd4bcbe6441f3edcd694

SHA1
673a4222412706c7109e6326dbcfdaf9e803df4a

SHA256
251f344923e0c3ba5f2ef69c31f0291b17fb613e5c93beeaf666ad0141fc63ff

SHA512
e3d01d6294b59113f3d203761687512cb1de14c7d01abdd1cb71e2865b6ed0adf039ca05d543aee336dbeffc048301a3bbd87dc3c5e91a071720e5ee34862c22

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
487bd225317d7e809ca395bc8daa943d

SHA1
ee98c81a1b9a76da54784b7b092141491438d9b3

SHA256
9fb8b7b4cf189fd333c645357c1f0b844f5717f3e30261a0e1c0c87e59f5c23c

SHA512
9d2c30f60ca5a4e9b47405485d26f8851f4aa38ceb1f82498a31dc512a230be529eac77384ec62d5a7259d509477e29faab30a77b955183515ed281dcbd33d2d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2165c5319c419a5a25221a31ae1ea7eb

SHA1
d773792c89941067e74e9faa95a5fb3973f9a1e2

SHA256
a0211de092644818de51001a22080b65a76f54fcf73273ae61fd43020c56ac5b

SHA512
9f4dc1feb7b45abc064f066d5a5fa1c48ca0dfdfc74af2def4215ebab1934f38fac29ca1611bf33d29cb0b1aa02d9ed90c66fd7d53f280fd08932807d6d1b790

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
72678ee960a8c9dfe920a5492c2bd7ed

SHA1
b9855c87218271d2e9b5e70fe78d9f80bf35d057

SHA256
f21a008c01da05c2c87ce9acca2af706f063de0b4953eacd23ae25ae0c40fd84

SHA512
87e6d139218a027a6b40a47d038a8570e00682b4e7d28a1fb821d69074f1e5893c71a4fd355f78f4218b6ddc3074f62a94981a2d989a8a2b369d37b673842bd4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e3e41c0822bd2a2681adda0cc0cb25e0

SHA1
dff0e5ccc92378d1673c7a62bed6377322092789

SHA256
556398ef2fbac1c2a8ee6f58acb1514a6a00d0385726fc78b550289fb3a7c483

SHA512
4e3b2f30e8514382ba24eece41c6d2745a3073ba3e65e2be2d8b785ce3d78f05063d0dbe5712b99e2609371e9523af736f231d31491ffd406342ea7a98d23f70

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a571a2a386a166a0c0c35536ae5a36e6

SHA1
0d614345326f7bb951566f66b3a5a54a242b1ea9

SHA256
aeb48408035fffd9b84bca5e5dca34d08b3acffdc8b5658122de71f52f63dabe

SHA512
53b985cbffb3cce80b0652b2f04a87a4ccf54db1182e06a785cd38b64db7d120b68ab8b76866e025b249104d95c62cec121c65406b9de8ed3eedc163219956e6

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
00b33735adccfc068d5aa7f5ad24abe7

SHA1
ad072360b259c35d56bd236943c1fc99ca6c9787

SHA256
4ed57842852e18058614c42bcdb61dcb4435eec254aaba59fc6e7b047184a9ba

SHA512
db00fffba096f689a2f915cf1d75560fde2bf1978ed218603d18acc6120e558de7db8de3da69b7beb89400df184bf0a1dd8b351226d013c5b6ffd746bba9c30c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
437355c84e4f03df5913da2631d2cdce

SHA1
e02b46428a2f109d317b22db30455a3536371a1e

SHA256
733c3ce62a7a051b2e0ed1d4d6a0c107c7450255d2f8ce7eb81d61fb714b4974

SHA512
29c2fb93d747dacb266add09e832b6d20ebb80082a3a71510100937517d51d4723066a77ace317e059e65d44ad91fe0400b6c61734d60c45ae221a946494a10a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9e3863955feb23e255352a35b970a201

SHA1
4331d2e9961eb03f2da14948a960973f8cd8169d

SHA256
84383dfcb4c5aca12789aa0b7ce09ae1f6bfe25e54f2f1c3f97dc958b4954dbb

SHA512
ffc50a9557bf8fcfc466632b50c369a50e0a0149b984a5bd223ac99ba22181eb476fca546107c8903c1fe425f75df0895202de3a7798c06ab7d1c80db52b34c9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c98e1ef4f3dac6e80329298ba750396b

SHA1
29401f8a65c8dfe5271defdb450eee5bd46bcf78

SHA256
adb821bfc7964e965b0843e5b6115fcde16139aa6c8bea0237da3107fe3abd8d

SHA512
cd27566cb384a1632848a9fcece3b2fa89afd29e80b624ed71e913fdab0ff2389e24d9044ec602df8cb710bd89ee1059f6a0b52a517e28f4f47f5303c554a9bb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b8e6043c7942c876b805df41d3bde4fc

SHA1
7133280e59a99e03af852fb984fa1fa5e8a9a5a7

SHA256
a5949b2bce907360f271a8cfb572a3a5711245d7442c36b0bd0e9f5c4f64268d

SHA512
c29f2a2ae1b752c0e57a5e0ae890339754847c6531d48dd96902014de2ced5c1062462a62192e8770c881de5e1138905fd45b2b92672e1b5a4e150fe0e04b116

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8be502eeaa0ea65f7b1ecd1eece5d2c4

SHA1
e448ecde03c5fc753eed9ae18cf2cadd2650a141

SHA256
d615ddf11fe2f9aee1b2ffed01209446e605e1da5c1bdbf91e5d86177e82bb93

SHA512
a3785e35732a3b73952751ea3d89b7973e21cb04384191eac7e58299fc16548f2e9b1ab56b1fdcc1106736c6586941e26584ab082c1e509914f9d055e7378390

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
17ed8c52eed3c61f6e06b6c7e6661e0a

SHA1
c65a9ab1f9e328f598a6f5d4f3c9461a9baf8773

SHA256
ff9448f0e4a5e69eb42611df558094af537b806babcb4c095ae0aa2242eac4b3

SHA512
28938b5f8ed00298fbaa6d264897f37571c48090625354e7be975700160c773c479f286f6cace56b5a7106060c14b6b12ee3f17a1d7fc256f3928fd078c0ba59

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
7e85bf9bf663acade398a2da2063143d

SHA1
b423028b563440f3e593295f845c6c9537e0d4b7

SHA256
afd6180ffe1a6ebec5c2eebe9d6f3def70a957a44e0583d4ad909cc3c1ee3c83

SHA512
33afbb8d357a142c85a63d7fc5a70061b3813c24ab8fc6f37ced2b2725276e0eb2e1a39c4e9898c3dabb690d74e9f9218bfa47485d4662ff9096ee72f50c99af

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ec939a0a54b5911f8d09070de45f8d46

SHA1
fabad3c70b47415b6fdc8a9ad94faaa7be556874

SHA256
52b542753652c064918c6414607cd1e33a5d8b2b7919ff3118b1cc6f91f87f0b

SHA512
c63b8393c94d2a3911bb4949fb1856717548415e43ac74f56127333c92f917a3ca3e33660fb29a7f92e1c1cfe7fcd338ca87cf2584a09e2ba919a9d535d05c11

Download Submit
memory/184-12-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/184-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/184-88-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/184-145-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/772-200-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/772-256-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/772-193-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1424-162-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1424-95-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1424-94-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1424-102-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1792-277-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1792-282-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1792-353-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/1792-343-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1812-318-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1812-327-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2020-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2020-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2020-141-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2020-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2216-115-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2216-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2216-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2216-107-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2216-113-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/2748-257-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2748-247-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2748-317-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2768-313-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2768-307-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2932-228-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2932-163-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2932-164-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2932-171-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3060-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-296-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3060-302-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-305-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3196-367-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3196-358-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3252-180-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3252-242-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3252-188-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3560-287-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3560-229-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3560-220-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3664-331-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3664-339-0x0000000000C20000-0x0000000000C80000-memory.dmp

Filesize
384KB

Download
memory/4344-270-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4344-330-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4344-261-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4536-274-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4536-217-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4536-209-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4612-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4612-1-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/4612-7-0x0000000002430000-0x0000000002497000-memory.dmp

Filesize
412KB

Download
memory/4612-132-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4624-344-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4624-354-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4684-120-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4684-128-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4684-121-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4684-191-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4828-268-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4828-205-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4900-153-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4900-158-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4900-160-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4900-154-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4900-147-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/4900-146-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4968-243-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4968-303-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4968-234-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download