6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4

Analysis

max time kernel
147s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28/04/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
Size

625KB
MD5

3b4ba2b962496521ae262e192ce74f0f
SHA1

1ab84958d4664883b70e1e577f296b7afb052d6a
SHA256

6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4
SHA512

00e50a29d2bdbbba5cf26cf9f87a676751096015efe09d32ca0a7ac3231c89827df40819ac5c7eb8992e96a37a6d0dee3eb1bc8928452928bd1398dd2f174a5c
SSDEEP

12288:HJB7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:pBCks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4280	alg.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
1416	fxssvc.exe
1964	elevation_service.exe
4544	elevation_service.exe
1204	maintenanceservice.exe
1604	msdtc.exe
4956	OSE.EXE
2160	PerceptionSimulationService.exe
4048	perfhost.exe
1628	locator.exe
2384	SensorDataService.exe
2224	snmptrap.exe
4628	spectrum.exe
1292	ssh-agent.exe
4000	TieringEngineService.exe
3224	AgentService.exe
4832	vds.exe
4224	vssvc.exe
3424	wbengine.exe
4320	WmiApSrv.exe
3088	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6c8668be7489627c.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\System32\vds.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080167c60ba99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039028860ba99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068f5f85fba99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce95b85fba99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c2f1360ba99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000746dd05fba99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003532d55fba99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006627ae60ba99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe
4196	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2060	6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
Token: SeAuditPrivilege	1416	fxssvc.exe
Token: SeRestorePrivilege	4000	TieringEngineService.exe
Token: SeManageVolumePrivilege	4000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3224	AgentService.exe
Token: SeBackupPrivilege	4224	vssvc.exe
Token: SeRestorePrivilege	4224	vssvc.exe
Token: SeAuditPrivilege	4224	vssvc.exe
Token: SeBackupPrivilege	3424	wbengine.exe
Token: SeRestorePrivilege	3424	wbengine.exe
Token: SeSecurityPrivilege	3424	wbengine.exe
Token: 33	3088	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3088	SearchIndexer.exe
Token: SeDebugPrivilege	4280	alg.exe
Token: SeDebugPrivilege	4280	alg.exe
Token: SeDebugPrivilege	4280	alg.exe
Token: SeDebugPrivilege	4196	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3088 wrote to memory of 3224	3088	SearchIndexer.exe	112
PID 3088 wrote to memory of 3224	3088	SearchIndexer.exe	112
PID 3088 wrote to memory of 1744	3088	SearchIndexer.exe	113
PID 3088 wrote to memory of 1744	3088	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe
"C:\Users\Admin\AppData\Local\Temp\6d596550d8e89ee956817bce9ef38d16505bcf209738c41e4dc3e30a7b1e30a4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4348

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4544

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1604

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1628

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2384

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4628

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2020

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3224
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ee641c8d39a870a1a52ebcd6b85b3995

SHA1
6d58cc08ee02a237d99157cf33426165f32a6336

SHA256
f0bad3ef476c6e0a05d3e8167d6c426cfb0c841ca45fe46d10920d3a3d09c7c5

SHA512
010aae1561e564e4220a9bd81662a9e4aea9eaace1be35900b0eab8e83a1c233d252fbd70870deb6d2e8670c00112c5bd1d95b1f315126a8f91b75d42abeac4b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
329955973059ef06fd6f23477985c10c

SHA1
431c92ef52b9173dc994e470335fde30d9a1a73b

SHA256
f3c2f7106164d8eb7427db94bd7e38cbc0613b1b8c2f1ca8e4c91ac3872f0871

SHA512
b7ee9d912cc1a29b3c98d94a4635541a790020052acdd60f68d109c8a646d972c93684577607a7d44cdecb806f55fc139a9360e0e29f46515034df90173c30f4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
9204308a9c97dbced935ce788c87406a

SHA1
6d722b616d2f03b48355e86e164ff3dc82b56c60

SHA256
6b57e1b4365d7316b00ffb0fc8da845372db0aa47279c3a7d0ba630598ca9e24

SHA512
9ec6233e4fa1056ceaf44231c7d6024944da56ea013422ff3e448ae36fd1b2236e3a0c2074f273574812e86b8b2271bcf7750598baf772109fc9dc04ea25e0ad

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
34f33d8dbdd9f512593f8178574deadf

SHA1
59684ed6427c1635966d5e68685f3d1192291a5d

SHA256
3f34d6b11117e23cffbec91b5cafe99c15a6b96198f5961660a13664cc1aa970

SHA512
16c7d4001b5ab11e50d178162e263a79319827431c5e0dc70205db441af82f8c9a4ac6a4a346c255a8979c99145919be8e3e4e5054292dd6f51141cd1fde838c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
68e2c9a0b93135e1d12e447dd7130b13

SHA1
492e8f8d3d98a5cf80655b76bd435f911d8cdd96

SHA256
cf0ac530e3c9bdf34a27e1cec608460e9028c8736684e204a66246cb06ac03ce

SHA512
c387084912a13455817f861753026049d77bc2015416673c106fd3d64e007130346de6b03649159ea08636e4a504c4e9aa101535cb6260563a479ab1c921f7dd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
68ec219f449fa0463c2776a013e30beb

SHA1
ad118b2c14e5fcc03276f5a04c3f43490d664412

SHA256
56a9a341911915e4d3ed532c631957957d9f85b516fc8fd23abfe7f430cdda6f

SHA512
07ccb05b3ccd947bcade924d0ad6a4ee4cbb59f6e88ecc69d16f01ecb5e05e3517ea284713ff741496e88e539346782fb7ad6ee0a1f1efd56cdbc0c325ac8d48

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ca31a295a2d4d196592b184b104af945

SHA1
576b9d2cab2a8f8aa6ec7f8d71487280d2d6785a

SHA256
0a4b53f4ce14752b54b3b7f62157c39e4006bac2b6b06e7fd7a5b5a4df14c259

SHA512
f57ca3254c9aa21663082af07dac8d3892e43573332f1794a301df7ed5842798293ea9ea8942887b8c69b91f7c00b9ff8c8b2aec799977b9994da2cfea65052c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e5bf3eb6fb2e820b9f338eeafd86e39a

SHA1
01d50d2f258c328031c25ab5cd98bd29eae5fd1a

SHA256
16be4f7da13586e88beecbd21bffe55a8dd79ce67c5b5980a16445dd956b1607

SHA512
854534339f00fe5218da2722514dcbf229dd6f2f2a2d448c801b1234bb519235da810c9d56c1e165c370f6b74cfde9fb0abdb615c0cade5f254e820c181760c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a623e47682f09910315fc67ce0c0b61e

SHA1
71df13b23a82bcf50300b980ae86869a5d398199

SHA256
e0db1cfb8f0875e7485083ae9be2bbc9b5fd5971e445ddb98ed968e7f2dbbe5f

SHA512
e0cbc584a4f881df7230b7508ba895ee5c4314ff0a7308a004f15ca24c457ce81d51733e52ac1c88eba7841205b376778659e91794cb4edc6c7c5f80193354b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
833913c13d82fb999df032c4ab42efd7

SHA1
3712e2e7f328b6d52694c1527398ebd7ea413cfe

SHA256
56c308dfac8c8f0f90a8dc611e78473396ced32e4ba41adc677b3eb56e960047

SHA512
c8914ecf5530e3261acadefb5815e213a9ce5ed303fd1069808090cd79a02bd96dfb2fed8987281b9085e854f7439484300f3f95b1eaf65d40b2891de00eb107

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ce2122ce17cd95795ba9fa91e9d17133

SHA1
21874a357dcecaeaf7ae9e0036f6784babaf0e86

SHA256
f432e05171c123e642c7969621787a3414e9a7e1ac7f3bbc138266e20800f67c

SHA512
99051011a530b8f0f9e2e9fb5ebc87e4d875131d3c2c5c3c75667d8d58e432599db8e496175b5f8c131a45b90b2d7f177108af37bea65865414771a03f9819dc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ae61a53853c7cbfc6a7e07f6636fff50

SHA1
b1b20a5484451682d1a64194085ba0ccec0567c9

SHA256
8e68ed144e05dde14b6e6633178881bfd3304fd6db28114a3963a15a420d9fdc

SHA512
be50419ba746878bb46c380010d97ddbb596a194093c0f8cc81c96a364ee2f4520e22d94961ab57392dbb0d4583ea854b2ceafe9d671b7093e743fc4912622e0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
017f7ba0c10055393db5a8bf893b9681

SHA1
364328cd0f918ce8c490bb6e316a0dd22c93f060

SHA256
fc2417ba025b812c795b4fe6e6f1e735fc92484dc5e1ff0d7fc207de1c094493

SHA512
9865d9c61a0f4829e59bd870b955b0d9f9741480b678ce0dc56c0c13b10c6a7f53aba273c752d09c458017a56d4d242ebf29d5b3bc86b64cd68f960118f8dcc8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
fa060eab0de17c45547880c2600038af

SHA1
df501a9e2acf6b00928955ec238ac7827955b516

SHA256
f099461e1c64e0feefa5d355ce77fba901f22e0d524ae4b95b24063d047a61bb

SHA512
2d36fe20c449624be604428f7c7c11d29dc3e8250872d3a2ae7a4607e1693820a76e5fbd9a156f4c37a1255971f9999fcfe97e84b28cfe32f95f7881e3c7d92e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d3f0889b74bb47ef9f144d4ad9d0c31b

SHA1
abdb15eaf2f375bf951d76192e8595419914cb47

SHA256
fd87060acae824d1f7e06f8f0af8eec2ca26d299f49c5806d37e93ec6c651dae

SHA512
7e74ae26fc473cdf777b38e70b63e4b2af3cc13282baa6d74da029d3a8f97192755826bcab95ae9a3258f8678ea39902d6b0564ecfadccb636489e925f6fa242

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
050ca8b207ca2cef963bcae67cbe6e62

SHA1
c88c9f4d0eb29d79dd967c28774d9d9bcb7e7536

SHA256
85ec65371ab29b1595d51a2dfb249bdbc30736b6e9a355498990514b5b076ea5

SHA512
90782dda0466e2b5621b457560aad528d7f49b0622759834e17449f8eed050ff7230c22309cd6ed7b4a1bafbd65198c8ffe2536cd9beb2325af2d6e17bc1fe7c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0eb870035215c8c5169c15b95bf5ceea

SHA1
12541186d096bf43bafb343939983d0312f9c181

SHA256
c9c2ff5ca4c5f68d5222886ed673d05f60a52c030521261b7c8d428a8b0736d8

SHA512
6d717bd9a7c17c295ac4031270579d5771731e816bc938b85ab5ec0faf6149e7215a6494d0e108d89338f04849f4aba40acbc64591d9d0b5159236ff305c83c6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
0ef685d2f70eaca7c7cbf5a28ff7e6aa

SHA1
ad076ef628661280e4cc70e143411075bec510fa

SHA256
1ef6d37edf790f93454dae13c1174e749e67334b932a501513082b5cd64094ff

SHA512
eac4069b5c33fd9050d77524e48c731a6781b899e14699ab968499817688f29e4592ea99d3efbe3cdba735da2883762e794c4b86030397b52c2c34927c4ac0f9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
c1eb6b502b99a4a31a5fa24c53a2a4a4

SHA1
6c0dab9e6fcf74d2fa7149c7a400353bbdc7977d

SHA256
e2a28e79e7e0dc282d6d7cbdcdbf113502f1d6ef91d178c94ee460f43e8837d0

SHA512
d9afb84a211d79efa4ffcbdf289e62b91be0f9f321e712416fc77f311c9970b6dc66007c8578bee2ab88c350c21e699b38df0e5a3aa09b4247719b8f334807e2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
642d51842d66a8dbc200b388d6a4695d

SHA1
8650fe71ff3d4ab9ac342f268b39dc05e9b89fdd

SHA256
ccb7e5d6a79bbe48baec890d5fff7f36b1233b4e5efbaea354b85546879e25c8

SHA512
04f9b74f6d6c4288465a4a0e0334f7de65ae1e6498ec8e6789aa391e19abf5f89e310db3f587e1d29133ac222ae02863e0703d944604c53fc72539347a3a323e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
abb7b329d8748a095bb0a8727945f4b2

SHA1
05bed257322c3cedf8fbfb171e3d9e259f3ea9e7

SHA256
561b4e0699ad5de46e0c3e6884e29205fd59f7c34370202153a74590ef01d57d

SHA512
233c16557abb9504141fde78171033631a4faebbaf67252463d012f6a2050d53520e49104d7702d86e8b9047807f0d1436ec156952ff3e770833fa1b1c5076aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
dc702da49399e04874f3b220b93c7c22

SHA1
01f4b135ca50e640152034ade9534bf4a0c79505

SHA256
7e2f2ce32232da6789bb172ab08bfcaea08431709242fc1e03f6afd214081570

SHA512
cf5e6e446ab3fd03c818ce9e8a50d10a776235e0f038e9ea4c1399dc975b8dbcb318eedd8a1c37758dd334916f4a3a63f02651078a467a20383c210e1b89e220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5a36997a2fada19acacdc36cb5265c7e

SHA1
81b02067c0ba078f2686b1a0bf39b6d1c40539a8

SHA256
927126ca1b66c9fe2150ae5eb6fe55e32cd16e1d7b4b146aedad80d321a3047c

SHA512
9fddc3944fa814dc7c01ab7709e4f8c71a7013b5c44e21d63a4ee51f57aa312e9755ba086b20bab0fd4d2c46c162677b9301886d1c80d485ea20027fe5417e33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6c301a711046870f434c1ef9b6da13d7

SHA1
ed9773485a13c11107b641579756c3917d5cef0f

SHA256
aeb75b80b96b7799ecc46e8bc04bd6bb358abb5b47dd31af571e6fed3f736158

SHA512
461385ca1bc63f82df1860ed7c73b4da4d80cd89c74729f55b78636bec5d69ebdb2efd0860dbb3e459c22557ffe5b683f500ac82993f03327bfc54e4191c063b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
748346f9d1e5a6193d29e927d7d36d6d

SHA1
3d7f45308732068fb08f6af5eaadd470a83db675

SHA256
a719def7642f9b3572cd78c47c07ae5fc547c7b0fca95ceab1cc373e2a0b8a9d

SHA512
538fce267d2b962b8aa677a7e95c532f88fa7ea363538e080bbf61c335ed86fc67836f5515ef9d8529623741f537bb58a7b7f74d15a5a400db4e497409db1a90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
6901d8b3a6b6728cd060316e9ba59145

SHA1
6496d3df717820e178975c701b4ae27ee2b758f8

SHA256
b5d0eb0260cb674a5ebcd0300438a0a8bdb468ebf38574dd37a8ea03c90682a0

SHA512
6e342b9e50d7833e549feca397b2bdab3e5d289011fb2cb1be568e0066f390abf822b631a68dbc17a2e436d34f584d65da8409e44057b49b803da55dcada1fb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
33cf540d55417126c45f0aae3d68218d

SHA1
324824284a3c74c4be3e3ada4ce42fec0087c6a3

SHA256
1bd4a5085c5e08a383432b6f689ec305289b622b61fed328234b455dc4d74ba9

SHA512
f9075dfd66461b45d399ebe2255dad5783a9a188cce98c93fadfd2c8134324b7995296c0565b3c499d5b022ac49a4f9bb3de3fa74a76a42c1f2dbca4769119b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
24e16ea9d27c6f1e6444e8da1fcd96f3

SHA1
237a32499c64ad62ffe5b8666b830f0df2cc6281

SHA256
1dc7b4549a934434abd7ebf829dff97e262ca776c191cef619603c4db8783c7f

SHA512
c50420521d5b204b3ba1f595ad396ec317c716b134d11509bb072129b6901ff9f7322c62be6b30a5a1ec3e8b9ad6127384533410cf02e43beb70a3af8f49eba8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
7b276c18dde51020daefc0d4a7382320

SHA1
894365b0de91eb927a8590e444899772559729da

SHA256
1a46333c3e6454ab059f95e1169b2976b36d5607ae5df809d49ee00e26df56c4

SHA512
f2737159b191e944742ea9df9f9ff6ac138a9667019769f3938d63b17c4ae5a716536d5754e31fe763e6d12181f64651bb4b3f932ab58f03494be1f8216818d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
20794aa7c328224f9f8f4693d96510e7

SHA1
d832f209c445ea9b3ffbb6609f529a8156878430

SHA256
15b894e1e775020e7f48e35720094bf13b921b765760a6c5791032538f269171

SHA512
aa2af80006217ce2b031c3387dd6485978e0923bb4bf1830b1d7f8023be6fec3922d2bf576bef59d5cf039edce1b87130c102982060b1412da1292a4d10c8647

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c11b7de097bdc3cc1d9f1857bf3164c1

SHA1
dc9e10997afda90aa151dedaf49d6b7438772419

SHA256
b00103e5a051b6900a29ad042e9436269930f510850d4b2175a82f918345ba96

SHA512
ce4c559ec725e6fcecb5878f2c9dbac0d9d012709c7e1f355a66fdd184301081ae26f83b28c9eba113c28cd47646159a0d83a00e004b11e4d78b1c61116b7241

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
440dd838740ed657bb463667168d03be

SHA1
7ffcb5099d4b0260bbda5187f4ec730c5ff50411

SHA256
c2cc32529a8b49edf9672751fa40186092c39d9afef0c667fe4df7ea58b86f0f

SHA512
8031f9582bd01b56c0ed43316768e13c352086bcfe6f771c449148796bb8bbc4351a2832c4be7d7a201dbaf12737e3342aea0bd54bacc493d5153c7f71636215

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5a8948068ff33edcc46767f3fabc663d

SHA1
066e2bebf169c9af923ad986ebdf25c037125fc9

SHA256
2b05be2c7d9a393344cbe6de5228bb8163660c20087bb1aef7eef19e862347bb

SHA512
a7017f3a16316d4db45734632d018ea5c24b569f480c3d6b38607bd4fe504646c18982a65f141dfd0712a92e0b072bf720bde973a5bc1319a909f72eff0aaf65

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
962da604ff57fa269cb9d2efb31e9a8e

SHA1
6e5b2e4d1a72816d0086e86ca69537fea205c0fc

SHA256
39f5d03fb87908f961a0723a306e241fb5dda7d06af2402f9261098d6f0fc363

SHA512
dea1017f5fdf86cc1828497b04846a9c50f9b234ea5a0cfdbf2da2fae03ddbbf259ae8ece4ea6cda530d3276d864b11ee12cd466905b46292af8b029e49915e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
26cb81895c83ea8c66db58e2f7f8b2ac

SHA1
df5ad46621974619b0370c9bffe4525599830375

SHA256
39186fa082ebc2200542b49bce307e450f36da216881ef8572cfb04f8b53d5ca

SHA512
6c92e824df803b720dd63b48555468797bd011cab49aa7173c2df9b79db251e5caaba8505a125b273023104037de64d3c56320520fd4d865a0b4a96a6fc9b118

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cb84d2449ec325f0f51e97edbcbf8fc2

SHA1
ec333d28c475db80dd3ed51a5d424f69ea02fc86

SHA256
01f5049ecd155e3f5fb398cfc16f3cb48c0c41ae51eca4d2c0fa118c26c9a776

SHA512
485ef6296262fc602af6b90efd49a86812bdb33f8c6b6dab88ae01374c526c126063aa76f4ab9db47fe8adae5c6d645e2b621c67973dec49c0b92df6286e60ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
4fd91045393c49864644bf2d99f28108

SHA1
7f96f7d4feba5a4fa6e80ec6d103234eb6d7aeca

SHA256
6661acef1a08b25b1ca87f91b0c2f69c7c12e81bf2499cffacfc54dff35f6960

SHA512
2c7aa9c8cf8627e0b92ab0ea8a0eee20827505f28c1989eeb263479cf1d1e9540889ba7e17ca0c8dc9736da912bdd025401e65def640f9d245cda763f44c3122

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c71c52f42adb9628ef2ff6daf94b9c25

SHA1
be13445af5fe6d035008a389fc72c40fcdd9ccdb

SHA256
96e175609ef297732314c582d24d22ffbfeb69262ae3fbe8d4ed1a287db3e75a

SHA512
7060e213ab3354a53c4b410374aaba9029a2a9a251ef04898835283bef056227fdc365ad9094c780d23cf69cc1377091ee8c8cbefe0dc80264fc025915419e8d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
bf3338f0d96092baf4995c73bf3fa664

SHA1
3271f38d87b26c5c2829e6e5440a4eba06bc4689

SHA256
a0f504defbcc070745f5e8413dafdd5aba15c2d3ac839ecd5b1976c83e3dcbfc

SHA512
3fd0114f427f0b50538a56743ca12b15bdbf83dbca8bc3586bbdccb05941a9246a295e056ed2cb55c8ca8b6b2fb901e19fd8fa4c9ba09dac0c8150d9ae7c9014

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
baf1d5c7bdc977f21aff792351d64600

SHA1
ab4bf92ca4424bb0178ee5865fe86c56f658152e

SHA256
89917ee2baa0068bdbdcde0a3247891de7e8cbba9b924ffa85ee2f099b53508e

SHA512
dff30b8a21094e255831ae93994808c47c66fe47512bb00cd06021932ab8423ec712ba0b8bc5cb8f0fb279cb07a80c021445e37c0b16996a2c2cc41e24ca16f1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c3ba088b4af88bd6a53f3b435d87aca6

SHA1
57a37dea5b59bd3c1b352b9addece1fb0572916d

SHA256
c305bbc84736dd83b50fba6b9de3d71f6fc2e33079c46e3ea21a24dd5aebf88d

SHA512
15921cd577e3ee330fe8260a810801fb0c4689834c6313a671037ff6b3709d410b386adf79515095f0772e6b360b90f13c65acad314e5379a4613c25915e9cc6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0034c84b1467524e8333693f8dec17e6

SHA1
0e6c49aec9291d43d7c0ff0e7a1eeb87959b34b1

SHA256
ea28b4e7a404727b5a276cad4b873ef1f82e490e778a37d2a8ffd151c2b2d701

SHA512
896889a36b20060c56273677ef3b2458395e84b192eaa4536e28565245914c8594f8316f573711ad5402ea6aa227f0e3974770aa9ce89fd7187bc440c96242c2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6f27d09692f65590e3f344270d7a9ab6

SHA1
e05218ad2d569299fbec36bf4dbb46beff52ad48

SHA256
ac6860671438e6f203970a47a586e22652555cf99f2fd908d8a176d10b42ccbf

SHA512
d39de5ddd2ad03e24e149c502a0e0b57731313419ca58b442c265b1bd686c66c525e6cad3a56ef076a89ea6dc9552e38b877bfb358f5f48dfafe9e6229d384b5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0bdfa1f22007a6d4c089c235197639b7

SHA1
949cdce3f99322a1dcf5aebde7199e04168a9cc3

SHA256
c142fd06815866b500312a85479019a5cc02887216124aaab9df985962e84f3c

SHA512
9d0bf6be5a2104b9ed34e20fccd68975c36da8a9f7dc4402586b60c9091173383dc85df930da90489fa21b0d9d4fb26df02d496442cd2e57612f1247673e0adf

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
85590eb0dbc06ca353754d73a3636f03

SHA1
66db970ead015e38217fa3e81dc95ba1fa24f5b0

SHA256
78796d21e13147de84e5bfbb59388419c2b39a99d8e1a41d86ddb7b4d2bab941

SHA512
11fef33ee282f6f49d2d2aa15f08d7378d59f3cd9d8d6f3e7fb2b10f92feefe740fade98e26239c61e95268677b346f8b6eff75f7215c238dea28d59d76b2197

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e36d8bb97569438077ba3a2e4b5db7fb

SHA1
6f6f2f65106d2b45629911ace81fa5a096c27b44

SHA256
ff2eb64ea85256b43d645daa6eb1eeb0a2da5da143729f692a7dead68046f6d5

SHA512
54fd6cda5ec9ff2950d65f49415ad2ca089d07db570a327b3c841782216d51d9aa4b351d9c787a028fd113f5c2de8d96cc31dca811b55caee16ae1435674ca97

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6528444ce049d089a160139f6651c452

SHA1
fb2f3ff3f839a45e8f3ce859728a6f7cb1e00e93

SHA256
cd9199fe12fb1b5766ec05b522186deb30b3eb69c8d1babf7fda6e3884a29959

SHA512
5fd9347649c93221db46c4d0a74e94360286a15aad61e4a9cf568ad8189a4ad5629aae150e5a558ffb8069b8c55245226087860e62d90d59014d6f89294e6221

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a337ea34f6927a5a547d3f981524c6d0

SHA1
5d193483fcf9690fd11e75cff9ddc21abf69226e

SHA256
12e0391e31cf5be904495fcef469a1fe7c56653fb545c850de618b982a265089

SHA512
219fd66b701ce79e1192ccac616235678f1f8b7b93f65508b1650f469273b17d867281448fca8e9619e00a2f28b52b74fb85d086cd562bce9c57f2bed5a9f2e9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1c5fbe117d62617904d42f47a7001658

SHA1
3a477f5ee211ad331183955f05f9a16ca8992ddb

SHA256
a630662fa123fcd1e4be374933bd3306069c3f6024da04174bcd24185f9bb851

SHA512
ca13134f44454a0356d15cd412aac6789b8d61569213c4e3981075e910c2d050d0c8ae7d50648b5e2d2bf84c2b7ead5b4cc1d8b06d98946d45f70ba694fdf1ec

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fcbbba8beb627277db531202b8bdd191

SHA1
9c508cde90c0f34c82c445302f681c63a6f08812

SHA256
b63c66996c70d107a4f249ebd4d8323f0c59b4d4ef39bfa79eba12cf1fed5a2a

SHA512
bfade099ff0f6ca485220d9c27caee78b78b9035ae35c56097b97a08b7f2a84bf19721dd51cfb9061a1e28d9d6154e926cc16085a567d6aaa644f6a266f30de2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e84763f7a256d2ab3b0c75dc542e3a09

SHA1
2cefd03725cdd4192c9c63654b93bbaefd955aa9

SHA256
9ff38d065cebe14538187b394814848fb9ee55b52a353596aca18814850635b3

SHA512
bd2c49c083af9726af1c2b0d22944c6d564efe072986e0b9899df36256f5dd2d2c0483c3682877009bb65f68be73398427e8f52df824602b4833ae3cc0a4b495

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8a32362637932b1179a8f3c76158394b

SHA1
ce603315986f7226a969fe76b10a5fab75c46446

SHA256
c3043c3e5f50dcadbb4f66c2a3d9629baa8b7ca797e4cb1f72c683ad1af51966

SHA512
8f35ff5d2e6f4bdc2748c100e780b63a08efb5d08e84c5be9c23994c555e5f1dc21c68c70a144dc66f6881eb3d6338a10b1f49a099d15ccf9c82c893d1565818

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e4309d7c8b17642a762590459a334d4c

SHA1
56dedf014df5b68bba554baf775ecaeb95096c45

SHA256
ac5fd135cb80f73cc9865f93a2bb47458d186b2c4827c9d262799172d25324fe

SHA512
f7814a81dad4f5a37c469e2ad6abcaddaf66ca866310c16090eebc3406ddfb7248a13244371c82256c2b47bf7044bf0bf31c9f20879aea96ed4eff747fdb5c41

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
67ab814e4bd01e5f074593ccddab5b80

SHA1
eb5797a77f8736d57cf25767d2971e24c1c5a1e6

SHA256
9142f925c60f153fa48775c325b54c1dd4a51a8bbc1eaf7d0e1f909978837b14

SHA512
fed5c1d92ecd158b4e62e5b2ed7dbdb6fd9c9399e52c7a81efdd10a322b9e6c17589ed8762ef9432a70d236965403acfed9e31343e33add81e8dd5b817ab2407

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1ec5ee2a4ee9265f4721180010439a99

SHA1
590519a2a9c059f4453922d4e3ef1702eb578bbb

SHA256
610ce193a4c8e6b0bd610e603aff785f1c77b1a8de55b90b121c0fcf0c2823bf

SHA512
37a735fd9dbf80b2b8654c57f642d6114d650de9fd76296ead4d95ec6d9618ee7e14a1d2706b7eb2119b2fd1304c7fe5781575b55b67c2550e94271e57a315a4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f18deefb17683c799ff7a4a376882d8a

SHA1
a2c78e54cde7a0277db006772175acde216dc7e1

SHA256
84fda07a6988ec00d1a14700c64437d874f4a909a52660bf989ea8deec467ab7

SHA512
3c741fadf5d8b42b827deaca3220a37fd8a30742870499a91d5f6164f94766641ceda9148ec1503d0d4d35ea525ef8fd9cefcd26104b227e8ec53c20bc059f80

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
aea4adf0c6f1f4649c2b5107907d70a9

SHA1
0500f661d752e6112f4abc24b2821da69f543d69

SHA256
e689ec3f48375dd5bba9156e84b3860bdf42ea0630517897656497f525861b3f

SHA512
33f4570be53c500817540df035fde1f09d2563516ae9bdf3893a3c478639c804fa1e31ed5ad98bde4f23236887c09bb1653bbd50742d9a19bbcfc4e68a130eed

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e26983d0ed4d879e65e0c22a3f403e31

SHA1
e4e2061b2097c6545b3479aa8bdcc9737cb962b5

SHA256
65a23956fe31243dc1b11ca5ed513e0f1c9d4aa469336197d507531db41214e0

SHA512
13f89a95ec4240ca1f25836c6180b89dca7dc55b604854c102c84efa32666d65e3c4bcf4b1db97ae186abfa38f6859768d7cb7f346d02cee2ad71a9d5d0e6955

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
83a19087e0490743ec9b2e4e1883dc08

SHA1
90d8d296cd6ee2cfea96bac89f0ac7bc4e05e478

SHA256
9e33e9b5af56eb1fd8b04ec81bac9a8f8a5f11272678602d225ba1ba8abc6783

SHA512
a8680bea0f5016c5bda4a51d3e8e1818c412ecc9f0abf75668a36ddd9f5353c8cd946c59cdee181b22227894ee03cbe86a48089cd67e0ba836d4ed99a9d40174

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5b7c5018bcf3cd2108813834c795102b

SHA1
70edfbe5f7fcc06da06916ff5aaed47259025987

SHA256
8eb6ffd4cdf37e1e5caeb2f56a8c153979512dfc2827015c693fd7dd523a8a2f

SHA512
cb0e1a8894dbc92d093cf70b99db80fa54333ada528e8173b22f30741185f5038ea85fb8ceb7f507bf8e477b16ea8aac244019f4a1a477f397072dc3b8cea20b

Download Submit
memory/1204-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1204-83-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1204-74-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1204-80-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1204-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1292-611-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1292-186-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1416-57-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1416-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1416-37-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1416-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1416-44-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1604-208-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1604-88-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1604-89-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1628-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1628-130-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1964-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1964-172-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1964-48-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1964-54-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2060-6-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/2060-2-0x00000000022A0000-0x0000000002307000-memory.dmp

Filesize
412KB

Download
memory/2060-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2060-444-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2060-100-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2160-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2160-227-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2224-442-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2224-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2384-272-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2384-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2384-562-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3088-621-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3088-273-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3224-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3224-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3424-619-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3424-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4000-195-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4000-614-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4048-239-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4048-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4196-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4196-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4196-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4224-618-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4224-228-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4280-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4280-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4280-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4280-115-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4320-252-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4320-620-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4544-177-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4544-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4544-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4544-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4628-559-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4628-173-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4832-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4832-615-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4956-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4956-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download