0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
Size

1.6MB
MD5

67045fcff555a4c874c6ce455e1b88d6
SHA1

d23976bfa5e77ae8e4bd1f7456e37a703169b7a6
SHA256

0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b
SHA512

2cd00bf1bc1aacc11ac059cf3a16fdb38dcd928813d8804a9ebd60d675ba64027aa1eca633db439403f996c94118b6119140fd628582cfe94599fbac77030f06
SSDEEP

24576:yCK4fLfegMyZO5CRhhjJFeLjM9cDmw+wh/B2:yXHjy8YRhpJFMw9omw+wh/B

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4412	alg.exe
3748	DiagnosticsHub.StandardCollector.Service.exe
4036	fxssvc.exe
2348	elevation_service.exe
3528	elevation_service.exe
3704	maintenanceservice.exe
1588	msdtc.exe
1568	OSE.EXE
3344	PerceptionSimulationService.exe
792	perfhost.exe
4440	locator.exe
1072	SensorDataService.exe
3304	snmptrap.exe
1308	spectrum.exe
4220	ssh-agent.exe
5056	TieringEngineService.exe
4092	AgentService.exe
2076	vds.exe
4660	vssvc.exe
876	wbengine.exe
2864	WmiApSrv.exe
2268	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\System32\vds.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4d1b1f5f74f8f84a.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\locator.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007591fd7f4696da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f346927f4696da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063854f7f4696da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000620b977f4696da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000398f1c804696da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000850f597f4696da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3748	DiagnosticsHub.StandardCollector.Service.exe
3748	DiagnosticsHub.StandardCollector.Service.exe
3748	DiagnosticsHub.StandardCollector.Service.exe
3748	DiagnosticsHub.StandardCollector.Service.exe
3748	DiagnosticsHub.StandardCollector.Service.exe
3748	DiagnosticsHub.StandardCollector.Service.exe
3748	DiagnosticsHub.StandardCollector.Service.exe
2348	elevation_service.exe
2348	elevation_service.exe
2348	elevation_service.exe
2348	elevation_service.exe
2348	elevation_service.exe
2348	elevation_service.exe
2348	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4844	0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
Token: SeAuditPrivilege	4036	fxssvc.exe
Token: SeRestorePrivilege	5056	TieringEngineService.exe
Token: SeManageVolumePrivilege	5056	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4092	AgentService.exe
Token: SeBackupPrivilege	4660	vssvc.exe
Token: SeRestorePrivilege	4660	vssvc.exe
Token: SeAuditPrivilege	4660	vssvc.exe
Token: SeBackupPrivilege	876	wbengine.exe
Token: SeRestorePrivilege	876	wbengine.exe
Token: SeSecurityPrivilege	876	wbengine.exe
Token: 33	2268	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2268	SearchIndexer.exe
Token: SeDebugPrivilege	3748	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2348	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3360	2268	SearchIndexer.exe	114
PID 2268 wrote to memory of 3360	2268	SearchIndexer.exe	114
PID 2268 wrote to memory of 3916	2268	SearchIndexer.exe	115
PID 2268 wrote to memory of 3916	2268	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe
"C:\Users\Admin\AppData\Local\Temp\0771277f1b180b0d52b5e10d1e7a0d0424fd2a0dc54097f326f866cddc31451b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3704

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1588

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3344

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:792

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1072

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3304

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1308

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5084

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2076

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c12790c9b3fff9d569dc1b19b6c6a4f8

SHA1
ddb73639204178a097671638d6548450528ccbfc

SHA256
bb7cadc8612c4e28a31b3b3d1b0c2a8c6685568510f7f6dc8620fa7938511d57

SHA512
6b16b34797e75e97acd6bf1c87a07c3a8f7b6a2d01a1ea0a6740616b6045da3195b189bde4265afc7a9c7a30b1d4e2514008ce25eeb3f68e76c4b0389e76c6c8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
f85c466031da6b353c9e1e7a6b09e4e6

SHA1
deb02662ac9ccff6c17d0ef836370b88cd0ffa43

SHA256
c643df5cf6f0b694fec1235a2af6838877d518b32128fc36de1031b1852cc167

SHA512
f919f035b2a6e1e42dca91f932d430089fc8222ee246396261ec916f1196f0d471aa17d05fc1a4823c6a3fbd24023fa8993d3d0901e6c0adde16155b61101474

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
130141e12f8710fbde1c124487212ba9

SHA1
12be1be8041a64f5bad1a76d32c9bf2772a9408e

SHA256
72aa7f7f0c5b9208c7b956fc4977ab62dc18bf1f5a48abe94c012e036ef42875

SHA512
b89cd9d7c325c7c3181b5f25401553bffbc76895f20b41ad0d2caba4bb23e1bf6213dc3e49e7efd02a0658a1e598d2884b2cdf2162fb5c712e76ba91b326e8dd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
15be5dc91729c697ea86ad076bf538e6

SHA1
e33d79026a46db1679ea708bbd8a2f48f3be75b5

SHA256
4fa7f0c2fb250876da3145e9e5e6db78dc1e6203eead6cc67fcc04fcdc36fc0f

SHA512
e8b271f60475fa35b417ef90a302ad979851f62ed6cdf5bb6c55bc9fc4096578484f6654dd5b71f0dcf00f28b47b69682c0da9b97cbb129f19d90665d65f2493

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0969e906be12237cbd06c3b56abd1fbc

SHA1
3a74c8a67a33213aef724619fddd9e6d9c8bfe1e

SHA256
5abb13235fa9977cf70e0de652b707fc61aca44576600f92607f432dae54cf1b

SHA512
1ac92d3bdff95f1db9c9497138cde0c019b4726cb88e506304372ecc6d178448044e9f8b126f4f66fee5a617bbe8341e762977b3aa84c4e2af63f0d01523b924

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
86420e2d3ccccb03d5a77b2e158cb4a1

SHA1
ff1b15347a99fd275565b572b0397546d3711efd

SHA256
cd968cb717c4f0a751a25c3938861e7e3ee916b5785f761a8b52fa3e668766c2

SHA512
e1e771314d59f1e34b28ea995677a9865755bdcbead60085292ab7042cb05255835c30437fdd319702dfaca127050c9f86ccfccf11fe74a65cd5c52dfa964cdf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
175d6bfa92ff014c6a5e4953103b2d37

SHA1
b2ffc13f893a7c6c7b8d322f3ba0181752d29336

SHA256
3e84319eac37d3e5bf4230e427f7b1dfd1620142e4644e89aabc96822d041393

SHA512
549cbe277d17ddb0f29ba2abc421908a6c27bc8bf50a270ee2141dd503f82f79dd9e0b72aeed4693ad4cbba63a9e8d06c7d858dc125cb8ef8db9acdca93c17b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
66274b6b16a4c41b94cf7c3674aa50e8

SHA1
0501ed47c26f21dc2ae7e86c29e4d7fa551fa36e

SHA256
bfd16a50d2457d358499efb65abbdb6e77138d96ebf5dc519fb1617fba6a275f

SHA512
dc2e194befd407d389bfa4b761b6db7c0230e9f3c9e9ae5c32371a77a812092a429d979f241f26766b76da997b2be862a222c750bce7e7f098ad35e4132c1fcd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
94212ab2a97c74b9ad4a77d37705844a

SHA1
b51f43b90eb695298ccf8262e0091fcc131ff339

SHA256
d4438aefde9ec7b5e6b31143325b322fbf679d7c6547722f5aeb137d5ad0a339

SHA512
9bfd94de5b9db73f7aa8c1e71ee605e6f51781f4faec098133aa253b03cc3f4979bda6f56228f164ae9401fe59916fad2fca1a42fc4bb018f9f357656d557e2a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e706973ad0b9965ceffd40ada29d182d

SHA1
2789d003fb2ca18c28843ee2f6895032a9326695

SHA256
ea8b3960628eb25c36289a072085eee7caae14fc194802e948926ef960cb112e

SHA512
e97a2dba6fd74e86df4ab0dc543cdc946a042bd33bd1e639e2207a4fc8616e6adc6ee7c75c96cc8cf1b2ec0e737904536f30035242b3f70753d4dee9d95bc074

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6b22d559aa525e23581e37c5a28033dd

SHA1
c9361226881b8a76beb339ac533ee76bde0cb47c

SHA256
7ab88614d03232c20258a68bb0fd7dc67eaeccc37da3797eae37a458ef8168f9

SHA512
d9feded1eb46618993cdf4f528460c19868ae8d492244bd0490bc07c364da252a7e372062ec51d06dd56a5fc63c99c9e61086755f8afe549697649bb7daeba4b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e4ea04bae3cd0271b1a245c1eb5c3c3b

SHA1
8ef8c7e46eb0ae917fca197d90d079e5c97cd846

SHA256
b9d9f18a652c74ac753736422afa9ceebf810d630bfe5a0b986af14c2574afea

SHA512
676e823f3c59c93c016aee24970b00e0e0f84bd24cb48447013b1b778ce6fb66dfd63726d75e700b2b886b282abb33b343fedabc95a590258a63922db05e4339

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
020e2da8d3742409982d98a1dac92569

SHA1
0293327bdefa5f7af0bfb9f1c09ee2330a143857

SHA256
7ac5eba214c8cd54c0d33e2f0cbd754f35125885858dadb949464b783ca986dd

SHA512
35e4fa49cd386050626178d9e537f4221c7b5b744915d0853f5bd100da00c038433b91bbf92e65d79c5b948c1e80aad9375b19f7b97cca7928be163130374776

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
1fda3774d57bb8e712bd2dfb95670e68

SHA1
0cc8fd1bec29e12a734ed539f895e7218e5a24e0

SHA256
11c7d5ab1158a8728da8ba1698a471cde6a15f633f2197f006694a549fc8504e

SHA512
407641da60fc4badd739a04f206458e858f9e260ad47e3bf6c83bb4605290e53d75ec638552726bdac577c1533163274380f80c7378bc9e8f2c4f9eac65f632b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
d218fd9bbd2a954cebdbe0c5b4f08ee5

SHA1
59b3d93a0c721588086791000e6254895f5647a5

SHA256
465a2433c677b1defbfc0b235bf4d9ee3fabdb51ae3fb5526096c22c30f94b2d

SHA512
42505b9d22ed6a96785f350f44fe6f3fb8fdffacb9762a1dec9064b007f7f74e7e30ffe6770fc375f06f6a0816e9fe7f8011fea45bb97f994fcc5e315d4baf5d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e0431e53e0612d215d3bceaad3804658

SHA1
310370581ae8968334a4789f775f5cf63dc90da4

SHA256
bc85f04826e3b953501a9a59dfc055cc5c92291344f07d3b30c5505ce3fb87bb

SHA512
af6579f1594cb89a8cf9e6255f8ea81fdb0e4eb7674c8e059a2741f21dfd1287b108859852242e226e78af546fed8f86f8a28ad6fb45a45d5df6111261218613

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4bed53c0464715a69f51b98502d2c00d

SHA1
34ab52a3b320b2d044da3d8e6fee6e42284741a4

SHA256
4a37d3d9d98121595a2f4eb72ec94e555350ff2e034309fefa1d218296c879ca

SHA512
7279e6f782f11ea6d9729b60de7c9c99aff0111a8a2a800a1f47ffde9b3411865f0f75adff9127a55920f3c0a14a4ea0a3f483be5df3d01a3b03bbe89ba6a80a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b265f286a6f1df053476bbc9c39b6dc6

SHA1
5e65f679bc68790351b4a458ddc824b82963484c

SHA256
8169c07c6c6990564f7b49d0918246ebb7ca8a9664cc261834c9d2f4e7b4d9ab

SHA512
29aef2ecb52391b35fb454aa8418583cfcea15ac4fb4a0e713e0a01ef25c5c8651f73557caafe58a4cdfb071df12cbee6a339392368819bc554cb322a53924d9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5a01412a6e36ae9824e7c7866a711a21

SHA1
b15864b4b4e663f4d685b67f96b9039e900c6ad7

SHA256
9c5ebd780b439ce16d5d8a4c89c57cc35f082b9e3e887a6e752a9ad5318d3256

SHA512
6c141788efd6f4d350f0bfaf786b63f92456c8e0ccb6dcda959e2e415d164be0461e901cb7adaba9c4c4cb77e251c0186d69c53cd1ef0890d60d2bbbb162fb54

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
22dc22778e243ebc48fcbe516dcfabe8

SHA1
ec5da5ab6e4de17139c54a35b6df709521e71b0c

SHA256
abbc612ff1cc65d17cdd64c951b7dc57a0500603d9ccd40c7eed6c92383847fe

SHA512
a5cead9774c49f6405b8a951d76a5bf4250d29de853badade2fb4d1cfb6697b2359b23a5b08d088ae4622ea0fc71d90b18b25a35c92466e10f8eebd73d55edf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
46470fa646935fef935cb1ff4b7e1e4d

SHA1
10949079e4e8f0a25d6a05e64cab7d8c361a7c01

SHA256
ff90d6dde37be59f81ce08829c04a08de7a93ee2fd97de1f9e32ec99bb13c94b

SHA512
82ecea39acd2c6e083e10e06b803aca28857ac1a82df5315ef2ea03eb7dd3ddf0993f62d37be9ebd20be9a8cf29de03d134ef617e330663436123dc07beb70a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
069d95012f3adde59c64ebb3ee3b0400

SHA1
22fed51cd09bc326da1610596d4c2dd454407ccf

SHA256
202c7381f265efe87847910c99184f72719fd871cfc5ebdd47de37a6c94fb8e1

SHA512
8edd70eeafdd86bbba5be7ab0564661c91a5564a6c2ed1bb33eaa86320674f28a9adab27c99330e10bf331294e012db147eafa52c636c18754de84e2ba968b53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
06681527dd394002bffd2541a5157878

SHA1
e3639547fa64888499c7ae622de3baa0fb623ecf

SHA256
521e9def71e452dc992847709ac1768fde18edf5ac4b8a23ace37fa038dbf1be

SHA512
5e5a5df11a7f4e54df98499787937e37c4b5e0f9bb62eafa37c5c3f561ee6442d9e2fafa98c14fc8f895d647e40c0a60680a28144405827b0591737235145501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
22bc0c49924e138d214c595ce892a9eb

SHA1
7229add37cffcbb6bab54435c2dfb4371e7f62d8

SHA256
26f7586bebeffa9fb61f612feecc80d5f6a8fa673b5ec416c12d66b1a64ce78f

SHA512
b7c5462b65da31a8bd4b0f9fb954c5c212257e0bf6b61ef2df8e28dcec8cd0ea61d6cee4ff914213aef760994fdb4c85106640251aa43ea1bbf332659ec7f6cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
7405382af0a71ba42e0555ee1ce28581

SHA1
b8e11956d21dd1f0509fe810e9a8016e40b81b9b

SHA256
36175536657a39589b9c151bba891b07c413f70086eb14f9de9407e59d2e3038

SHA512
99b10bfa369e373e73ea535319959b837e3773e5155405f858e594063eda9b3826f9e89fbdcf24951cdd0a60a568f66e71b9d5956ee818b8ff12d0f271a3bc2b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
c96fa73094dd080bec52723b1b7654f7

SHA1
ae7c11c15e901dc0307cc38b6e0a40d54ddeac6c

SHA256
8ffcd67f87532639e5db175488a0dca18c3f7a552a44b7e318b77cef7f6cb6c3

SHA512
fb4b0468e3f9051120d839529f3685a58ed2d8caba7e26a1d6a47cb7b2e4a8ef866c515b4394ea492b2010f6d6fe942c152e55b0ee78a5bad1839ddcc82a4fe0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
cf350901155959f0fb200bc0f6d3a3a5

SHA1
25ae0fbe9d846761ae2f15a033ee4538d4093279

SHA256
f7cdaa2839b38d374073856833c15de15f9a71cc2f35d9432609dc0f71a89169

SHA512
2d6252969de0a321055da8aa2c1fe598ba4650d145586391539ddf91656b790b83b72453f291a897add963fd51db30f4a55474eb457bfeb65bbd038617e2a404

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
9410ef8a08c615be5c7181d6b587606b

SHA1
60cfa51773ea3682fab5201191e5ab81ea398911

SHA256
6f3767bfbd886ab17656b5dc0d75122bc08a1e3e957c43bc71fe34067ea508f3

SHA512
98c276a666915827b72efc8ffbb14b75025b41e0f30b0727a43c62a1a2787911304bae1797cd8281f3ae48c4a506f318a4939c4adb7914da10e876a282b4ae20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
19035a22fa5c76c0b6f42200004081e9

SHA1
d431e8219874ede49880f89db3d2abaeb6d9ebc4

SHA256
132e61448b4deb6cf5be199604540ee85cbb8efe7c1a81e3b6614682081a633f

SHA512
840c89eaa28a1d4847ed06e147d13f261e000c32d737191c4347adcf8f889b8a34d4928afa0b1861ed45afd9669ed1ab13c5964fcf5ce387e86521086dcacfb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
c9645be8d2daa1f01b2b305265cefb63

SHA1
f1917bce00a7d67f418772d0861234f8e53d46a5

SHA256
7f972f2ec0d03949f29ebdb8d615708bdfcfc0eb69f373b80ba19258ccd6c5c3

SHA512
f512e0c3c5e437d5bac986effd391c27623104d588fc8d1cecc5163b7801ad8fba6b23fcde907049fb5ca95e4517671e4d7dff3455e4893af17719c26bed1e0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
9a24188162bd94e32ed57da780c894f3

SHA1
d7a160db2f171bc0f20ca2914f72a2e17ce1bad9

SHA256
af12c6cc6c1f2110165ed7feaa622e60c87665ecb3bc7f4e891dc803bbaf0a8f

SHA512
8b8a7aca03a0ae84ecd9b2eb74aa012b73dcca864af72b7de1f2e24c8b31ed72a31497b2a6de6b1fa9c05e40dba33f612f13afde891998fdc98d0ed8b445c7eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
c2cc88e93fd22755ccfb5b073f5181bd

SHA1
f25c4bf7c37d82f04b05a3c112c1bb8d4a08894d

SHA256
74ff6c581c6d29d6865fafb702c35cf44943a6f822917d1f97a983610f2d83c2

SHA512
cbaea42c53260e4df0fca4c3e3c70be3c06fa0574d9f4ac29c41515a73f0c8f2a00536c48350850c7cc85db06a14d6000de021853d10d0f3cc24c648f0d08ce8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
168632a252ed8d2dfcdf1afcd558df5d

SHA1
968222ef69004f2365f883834eca8a8276827bff

SHA256
f1d1b0d991fa189bde0d2e272858b2f6c225c610e8ad3f566447f7fcce7f74c9

SHA512
5f680f3b155b355383024d7e4ff7f46b0bb3d25b84b2621789a7f3d0b1fabd859a96b85a1a87e1d5085027775f3b66c88f225990ce7fb6880975e0f58ed30999

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
717d518a98501c906d9a62b7c6bc700c

SHA1
3e2acf4894a0f70dc37401e1033a036af530366d

SHA256
69a960d4323cd7285de81af4fcf3e8a9771c5e9270bc2b82984668b8c77e6f91

SHA512
0e44593d565e88bbd4ed3ded9030323c2686bb03f9e8afcb5f97bea8059a9f492b1e9703283e41b4cd0c44abc34a66038a95ee729131b4213f62e8033ab2bd53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
b15beb641f292a49428ef386d5b0930e

SHA1
9ce4b7616decb8832d20cf069b7258b0283ee838

SHA256
9b14d0a3e4788780a64aa6e2fe4f7975d95cd5b262274e1d3a4be57b27a925a0

SHA512
3521108c18a9aaf2092e6aba1549e735c9439800c555c3b7dada9689df1f2dd15568ce35b179eaf18f587d1e9573b22658158efc480e546dda1f4b5d51763ddc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
8da87e1273fb835aa8c8f9614227e5e7

SHA1
7d3ac1f33d12a0801bc4d174baa3ce624089fae7

SHA256
db83274bf91f951780c2c0f50784babb4965dc42c23ade4c351ba2adf865232d

SHA512
2882edc40c4efc64d72f4ea9752986d9e6ed67bebdb455d95ee678eaebd50a939c4607a4474df4f513f0c3871f8efb6ca8892cc89a66eaf86fde97995cfca2b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
fefb39e3c3e2782f724219b410a8f2ee

SHA1
913d5dd1b1b207dd60de725003c636e793db2824

SHA256
6a4583b162dc18044721d7228bafdfc29815aa18235c057e6b251fe4bf8a123f

SHA512
a5aa3342a148ae1c36f3cde0275f57be98b93bea45113c003d04d396c7494ea79b7da73987d0cf277441c7defaf0d965f5b5a7d75ff69ca0583f0b605813fd3a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f8063ab9af34661f80cd553b45f9c3b2

SHA1
7871729f21cdef90f152c5594be573bb3040ee19

SHA256
671d7caf197aa473232236b667ece55dd0e4762b466885ea18990e3fee7dac9f

SHA512
9b840682cfe1f2601064ed6dc63905f84549bea77f3bdd82f9af8ddb271aa8e3d34c007497b47e5ae8b3efcc9e66ec3a186dcab304fe9c9126d77768115a03b2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6da916885c49cda855dcaa8476b48153

SHA1
e5d554d6cfd84047cdda0956de7cddb51397624e

SHA256
2e1482b3902d2104727352680748402a338f1607215606f4354729f0550d9ff7

SHA512
9489e428b3b2b8e782564a8cea7f92320e9cd442136064c827a6d583f76ef3b6a25d5d560e33922c92ba6cc88252698a321052d802f78cb758a0805a7c9408e4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
bc922a8a97aaf992109f993f170e3fe8

SHA1
aed3f7ecabe618b385e594091890d4d3c6c1df1c

SHA256
c8094c23aadda71ab308d2d79240864c907615432d6f8b6df04025dbfafa3e3d

SHA512
aa7985a86e4f40aa5b1c4eb8f469ad9c52447f880c87290cd54fb66fefc359f9f50ee2e017d77e50e761ab6d9919615b72c8d9acf4a7b5668d9864708b95f1db

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b75a1e348c479994481e899f0511fefc

SHA1
dd43778b27a8bb37d80438c4cddc8dd617b9a27a

SHA256
383b6dfb76f9685bfd5cc9b6410a719ac7720f6974763628bf1a5438e0645524

SHA512
6518d90426c4fba9022cee5d1cef99ebe9d2d60a24ff744d5b40958370113471e545f9c27602ca2f54ae9c6195b79fbf44831db9b8b983362a910c1310aee9d6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
7e68b954a6851c054e0c61581e0a50b5

SHA1
ea70d3bb4d8090a95bec4657c76ba16f052629a5

SHA256
5057eaadc4a2b030e49d5c4bfad5dffc5d57bca1038a150ae62f433f5a8f43ea

SHA512
1d05163421211959515c57d52d3f03fa9a9d4fa5bc3278d531cac91f603ea5cfa89c47dbf60fe923e9b56468c8e7de2f5c4bad35c7ae6baa0189c92dfe0d9548

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c10506ba0fb2961fba8e8ad582a25656

SHA1
cb0b0e973f14e68508573c2056c623d47c4bbb20

SHA256
529ecc5727df12c66cd35f3d123bef16344577089adafb7db905a4e22d462ed9

SHA512
053cb54390f2ce1ed01acc4f0e52f69cd67eebb1a2e8245498afcc23b7a7f73e7b423f9937ddd2a58497d7e67afc6c0a22d8babb804a2f5928869f118292f694

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
5e8a41b31f4d9dbd3ecb3f10daa662fb

SHA1
2efd585bc827d815168afda75368ebd1b6612e93

SHA256
2d83c6ccb37ce6823ea07ccfd6d0c8becee6414d4ba4d8682b86574bcb4bb796

SHA512
c8e4b37ffefe1cfb2b4608e37d5231d85ef0b0df9becd667ada686b8318e39c4812af4dbd3959eaa6fa255cd4c190531e8aaad641bf1370dd1caf9689c0ee11b

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
8547b4c27bc9ee417f019e0c44cf421c

SHA1
8eeb30c5ee1d1b03753e5797f000c7dc39d3559a

SHA256
3148fdc5b9eb456289816be9f02a4a89d9ddb9ad871f6f72cafebdaa0b41decc

SHA512
38b4eebb72309ed1d315cda768255f9a9a5bfcbfde8add92d3833cca52977d2bda75d5b8fe761a1a180383b12bbff5c5043f3bc13dc49b8dea85367e84e9d597

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
e49130d1dcf80fffd7db29ed82fef138

SHA1
2c45edf1088ce887155a36fc53eaa2fd64fa1e29

SHA256
fcca6b71ba9d1faf6045783a3807f6eb9a0bdafdba5fe195b62defeb751f1152

SHA512
c0d1e3484684bd0a3c721e1c374817a741388242c47868bf31ff2025893bf741c566fcf14b0be57ca13c54cf4064b589246c21581752614a0c1fcb84725a9323

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c120395d1d26e00db1bc40c6c1cdbcaa

SHA1
b73526a9fe1fa81aec6dad67680eb8eff3dd58ca

SHA256
f889b9dbf73b6a3735b9d5aa37fb38f1fba53575f58faa3ebb84aa1f85b75470

SHA512
9a31067beade679a2e0d0b26f37dc6c33dc4597f5122adc6f4a01d2837d746de24c2b85eaef582d9aa440f6de13cd6ee37f39dd1b6fd7712cc1e5abdc6b8758e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
546a838ed93fbb60b148621f096c0c18

SHA1
4b234f33097467294ff664b51e785386fc6a5690

SHA256
2124a4fde45fca0446cb94ca4c2569f0929cbbc43e504ca2879d52bd68b2af7c

SHA512
6de67e780852f9ba740dca296039af86f661780e910b9058c9a793bc39267f8311b542704f288a7b910e7da19fc6b8174d5008f2f2c229812b7ad3a19aa7fd8e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ce6c508ef1a9d8012216421fea893405

SHA1
a2ba1d46c796d68af1a07557c0d77729498fdb86

SHA256
652804aced7b426f9945381343eb764236302b2df5d0e70d3d0b47172f1d8aec

SHA512
c067d2e5c77c9589f0b4fd328951efd8614eecf84a49b845c33cc0411565c9343f2ba7c0aba14be55a4430224ea5d0d3d57220c3c958730287a993a2f52fd876

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
c3aeba76241a6e7f40d465aa863e0b5f

SHA1
ac3c6eaceb1730a05086b343c93843bc535ff9ba

SHA256
f7b1eb1fc8f8edb1eac6c0233ee07c8295b065b6b6700edf954e11a2a6db00d0

SHA512
5d5a4d563f866fe0e2db08bdb0bc77324be7b3a34f1ff85908544d22842ff6f388ff3cb17d2d9d4590f9bcb418020cd713d3b2211dd52e57e803630794e124da

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
dbc85504f360e7bdfd3c0109a088b28b

SHA1
7aff680bd3f35983531cd3ea4a5ec24ddac83764

SHA256
8c24298e4143d3a978478e4a6ff55c318a3dbea2546ceb6701c8804e37f1a097

SHA512
4fcdcb1e089a293eca3c4be30fd33ff4a2b0b6fe599433873c58cbb0f86b1f96fe62381ee823ce266a6ba4566d191ac7eaa843d2fcee2fa5baf7050ee41903a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
02b6f315c6a315be8fac2b477b4ee827

SHA1
8c7c0196caeed362d29bfeb3f1f3097fef76e6ea

SHA256
5f5a11d1461a1a08fa7947918fd2d59edfdcf3b65c5c8c9396ca0b43a13f33e1

SHA512
c858fcccfb22188dca7c8a983ee99735c9fdd46b507ae4bf6227b0c38342b13ccdaf382f118d874179d5b6e1a9d93210a078dd3c20db63453bb7d4e6a409e414

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
06e7fadfa44618c7df31009739e7a594

SHA1
6924ea17305572a2f175c8e565e5e84cd1f361d6

SHA256
2aa4859f47866450db55f0c0a504f932abd5441c1e6f6d2fe61ab8fa8e38c628

SHA512
999ff223098f7eb876d2c6c7c52b26019c353b02c49fc300bb5ff505fa7c96071264c5c72e143b374742be37c51ecbce3cb01205b863841cf13a33793b274d44

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
f41a3027bdb8f92d8f57ff30e26c7d80

SHA1
286e0ce6c1de34aeb065b2367ea37e00871d01ef

SHA256
6c626f05807ca6ea20f6e279f51abb5408db402a778c6beb054dcfba4c0a8b13

SHA512
ecd118435adb464b5ff345a659530fd1449b1f99abce58d40c5d449e55a2f7a02b7c0231621032ca72d3f33c581299e80ab08209dd997e11b2739ac5be46501a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
226002a04e9a89675bc6a279a784ab24

SHA1
9495465db3a69082d2f40b3f8c9bf65cbda76124

SHA256
4c0f0f003025b19f6d58a2eb88da5b639367f5f9f91c79d024af9e15b2be7466

SHA512
1d1e68f95a5385d6e7c412e06ada97a7e92c8d1b31488184f67a14961419dcaf22ca0484cc36cbfc67e8b5cbe8bf70f5ae94d363b4dfd97a66e1d638b110c927

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
83b4db122dde5a9b63ac936f5be6e034

SHA1
cace1000689fa3339d0ad1f3fb3684448d0086a3

SHA256
cc6789201a7412928e98d39634e13660babfcd0fda60b5a7bfd0c09c43416da2

SHA512
30422f29b616480210402d7f4dbb5b51db742e01c4372d9ff203a927f106caa0ade2236130cd951a5ef245cf89c56cce67c2e1b43651ebd48a2fc4349e1d82da

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
27d3353bdc6618a1a405a5414f73e1d2

SHA1
5a60849725e68246f0d5cc17427f544d832f675a

SHA256
f38314fd8b84b3208cbd6ef8c810b626931c519a95a77ae7da682045313ffdc7

SHA512
0c578f2d6d88a6243c3d19bf8b0b5757977f255b754402a6e51e1779c613506107333e06c3aa726beb1a06090498b0958b6631114159654a2a3ce0b2a60eb2cc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e1d354f3f05e89fc6b4294b7b10c937f

SHA1
2c302d72bda769726f97755ced537cf0e9db6562

SHA256
c7f9a4953a4d16292a100a7e0facbb7c960f6eb36b2933eb9211f7decf62aa1b

SHA512
5dc73d5179d55a506b6fe4cb5eac4cbf1aed37139ecc6ba30c38a22738350539d763a524adaf06f370089065f1c635848578667c9e5d573844fa61bb388340f8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
6a3794deaf0abb1643c927b07bbb8e4e

SHA1
2b4d357584b4162728f76d7bb1a2c78ab43467b8

SHA256
4b8e9b5d98df0fc50b7ff67431f2d7c8056fd77d56e9dafc4cb3539ca719598f

SHA512
4d63f7eb941516f9af012c1acc0cd71438c22438d38a2fab906087eca03024185199760afc2a07a81d3e8ce95b781d19420dcede31bb382fa10a7ca853bfca0b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
5b48efe3e105d041352d362da74a930c

SHA1
a6d3395eba211d006196897b90e870d962c6acf6

SHA256
89030ab25b976665343eee6db8b53daa44f5e55f5adf4df11ae18bc6d5d7f194

SHA512
26005f54212022995a1656aa442cdd9efb6c9453ff0bc44092a566cfd810888e08b97b15f2aec75e68a0639cae89bf64490dc7aa5ac8132dd943ef292e1f9d7b

Download Submit
memory/792-110-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/792-107-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/792-104-0x00000000009B0000-0x0000000000A17000-memory.dmp

Filesize
412KB

Download
memory/792-158-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/876-167-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1072-166-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1072-119-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1308-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1308-136-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1308-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1568-85-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/1568-134-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/1568-79-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1568-88-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1588-73-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/1588-125-0x0000000140000000-0x000000014028A000-memory.dmp

Filesize
2.5MB

Download
memory/2076-337-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2076-160-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2268-176-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2348-100-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2348-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2348-39-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2348-32-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2864-172-0x0000000140000000-0x0000000140297000-memory.dmp

Filesize
2.6MB

Download
memory/3304-123-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3304-170-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3344-93-0x0000000140000000-0x000000014027C000-memory.dmp

Filesize
2.5MB

Download
memory/3344-92-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3344-99-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3344-148-0x0000000140000000-0x000000014027C000-memory.dmp

Filesize
2.5MB

Download
memory/3528-43-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3528-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3528-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3528-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3704-55-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3704-58-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/3704-64-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3704-67-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/3704-70-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/3748-16-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/3748-15-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3748-82-0x0000000140000000-0x000000014027A000-memory.dmp

Filesize
2.5MB

Download
memory/3748-23-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3916-277-0x0000018E199E0000-0x0000018E199F0000-memory.dmp

Filesize
64KB

Download
memory/3916-314-0x0000018E199E0000-0x0000018E199F0000-memory.dmp

Filesize
64KB

Download
memory/3916-302-0x0000018E19A20000-0x0000018E19A30000-memory.dmp

Filesize
64KB

Download
memory/3916-300-0x0000018E199E0000-0x0000018E199F0000-memory.dmp

Filesize
64KB

Download
memory/3916-333-0x0000018E199E0000-0x0000018E199F0000-memory.dmp

Filesize
64KB

Download
memory/3916-279-0x0000018E199F0000-0x0000018E19A00000-memory.dmp

Filesize
64KB

Download
memory/3916-331-0x0000018E19A20000-0x0000018E19A30000-memory.dmp

Filesize
64KB

Download
memory/3916-289-0x0000018E19A00000-0x0000018E19A01000-memory.dmp

Filesize
4KB

Download
memory/3916-335-0x0000018E19A20000-0x0000018E19A30000-memory.dmp

Filesize
64KB

Download
memory/3916-323-0x0000018E199E0000-0x0000018E199F0000-memory.dmp

Filesize
64KB

Download
memory/3916-317-0x0000018E19A20000-0x0000018E19A30000-memory.dmp

Filesize
64KB

Download
memory/3916-288-0x0000018E199E0000-0x0000018E199F0000-memory.dmp

Filesize
64KB

Download
memory/3916-489-0x0000018E19BB0000-0x0000018E19BC0000-memory.dmp

Filesize
64KB

Download
memory/3916-304-0x0000018E19A20000-0x0000018E19A30000-memory.dmp

Filesize
64KB

Download
memory/3916-315-0x0000018E19A20000-0x0000018E19A30000-memory.dmp

Filesize
64KB

Download
memory/3916-483-0x0000018E199E0000-0x0000018E199F0000-memory.dmp

Filesize
64KB

Download
memory/3916-504-0x0000018E19BB0000-0x0000018E19BC0000-memory.dmp

Filesize
64KB

Download
memory/4036-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4036-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4092-157-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4220-149-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4220-141-0x0000000140000000-0x00000001402D3000-memory.dmp

Filesize
2.8MB

Download
memory/4220-286-0x0000000140000000-0x00000001402D3000-memory.dmp

Filesize
2.8MB

Download
memory/4412-72-0x0000000140000000-0x000000014027B000-memory.dmp

Filesize
2.5MB

Download
memory/4412-12-0x0000000140000000-0x000000014027B000-memory.dmp

Filesize
2.5MB

Download
memory/4440-116-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/4660-163-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4660-492-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4844-0-0x0000000030000000-0x0000000030284000-memory.dmp

Filesize
2.5MB

Download
memory/4844-6-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/4844-1-0x0000000000900000-0x0000000000967000-memory.dmp

Filesize
412KB

Download
memory/4844-56-0x0000000030000000-0x0000000030284000-memory.dmp

Filesize
2.5MB

Download
memory/4844-348-0x0000000030000000-0x0000000030284000-memory.dmp

Filesize
2.5MB

Download
memory/5056-153-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download
memory/5056-313-0x0000000140000000-0x00000001402B3000-memory.dmp

Filesize
2.7MB

Download