004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
Size

625KB
MD5

de021087ab45150cad1a69fcf3836318
SHA1

5592215b56b980f05dc390143d9d15c2a74f29f1
SHA256

004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014
SHA512

87a3b00481d9fa13e4a9426e55c53241ed6c33b6222ac18af55ded1412a71d3af552c2e1f8b22ea010886cc1f941ba15b943eab60bc8d43d72206102cd694eae
SSDEEP

12288:BJE7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:vECks7WE9F5pwg8zmdqQjC60jiHkU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
220	alg.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1788	fxssvc.exe
4548	elevation_service.exe
1628	elevation_service.exe
4492	maintenanceservice.exe
3868	msdtc.exe
3928	OSE.EXE
4560	PerceptionSimulationService.exe
1096	perfhost.exe
3468	locator.exe
3588	SensorDataService.exe
1804	snmptrap.exe
364	spectrum.exe
1428	ssh-agent.exe
3156	TieringEngineService.exe
668	AgentService.exe
1768	vds.exe
4660	vssvc.exe
1220	wbengine.exe
3524	WmiApSrv.exe
4520	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\dllhost.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\AgentService.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\System32\vds.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\msiexec.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\spectrum.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\System32\msdtc.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\vssvc.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4c46debeaa61dacc.bin	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe

Drops file in Windows directory 4 IoCs

Processes:

004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d927f4c89699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1111fc99699da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000268af6c89699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad9b09c99699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bc210c99699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003be755c99699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3196	004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
Token: SeAuditPrivilege	1788	fxssvc.exe
Token: SeRestorePrivilege	3156	TieringEngineService.exe
Token: SeManageVolumePrivilege	3156	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	668	AgentService.exe
Token: SeBackupPrivilege	4660	vssvc.exe
Token: SeRestorePrivilege	4660	vssvc.exe
Token: SeAuditPrivilege	4660	vssvc.exe
Token: SeBackupPrivilege	1220	wbengine.exe
Token: SeRestorePrivilege	1220	wbengine.exe
Token: SeSecurityPrivilege	1220	wbengine.exe
Token: 33	4520	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4520	SearchIndexer.exe
Token: SeDebugPrivilege	220	alg.exe
Token: SeDebugPrivilege	220	alg.exe
Token: SeDebugPrivilege	220	alg.exe
Token: SeDebugPrivilege	1576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4520 wrote to memory of 4392	4520	SearchIndexer.exe	SearchProtocolHost.exe
PID 4520 wrote to memory of 4392	4520	SearchIndexer.exe	SearchProtocolHost.exe
PID 4520 wrote to memory of 2212	4520	SearchIndexer.exe	SearchFilterHost.exe
PID 4520 wrote to memory of 2212	4520	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe
"C:\Users\Admin\AppData\Local\Temp\004ce70876af94f1bdb1b66026c69f975442f828faa7f8b5495a752f45a22014.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4608

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1628

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3868

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:364

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4660

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3524

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4392

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:2212

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c2a4d938d59c30b599223a6cb78831f1

SHA1
1d34029b2ee0690192162e759fdb6498c6734913

SHA256
46ac13bcd4146503ae538bd92d860b71031c8d39cc4b5029b461f24314a22c5f

SHA512
884ef6a08e07e0804a22771f42cb169ed463fe1d7f799a52360f7f8a4cea22a9bc2225486240c3d9afd5a0af80159f0f861f19ca7f3d72960974f934febece19

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
4257b157da46bbe35c32a779e8bd2be4

SHA1
175020db897b7e616bd7f3fdccbae408c505d2c3

SHA256
384d938819d7df58438a81a16b25c6744c0f80d83ed2d05c1833af189b692680

SHA512
607f70fbe4c7186c32ec7a05db797745e177e90f700b7395c58ae8da24416b6e4e86efa5a97226be6592fa04db57ab4d12e6e1d346555bf73946623ac5c6343e

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
729a28937d5167871774df7cd3e96fc2

SHA1
624155177e4581009f764291e7cc55ad6f07fd40

SHA256
af68d31af1b856546263d1e613afd961f26bcb8cea3b9a2e310f76edada7315f

SHA512
f91a05030c4ba86761012acf4abb9ed4c83d966341e5b123b372547ff4c44c6b398432e3aab1b6bd55438380883bf1c1243e68f1f5eb7d155206f563d126594b

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
7873ff4cddd00fd006a4e9a10b538df9

SHA1
e3f98a2e51c0315326948d0344ccdf141361cd0b

SHA256
4b3de02e1364967bb0b3165cba3f1e55661ac46e2cfd32b67668803b4c7455fa

SHA512
a59f59485251ebbb9b0dec359343f59405fc3431e68d78be5569b3b685d79a1f25e470591f96d1406aece1bc317d0a5da749f564330029dfa003894df7d5cf3c

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
49996e7e022b8d1eaf1b0f9e61203bb3

SHA1
b03c88ee4bc12fe97845c515c0bedcab7bf20925

SHA256
9fe2fe17988167784fc55bf560f1368d45805ed917f1ab5195d900c1c76cf158

SHA512
83362d3546699e6b6ba435e94d97f0c5cb3e8348f21af1a6803e312302918fe9611ee852d69f6a2a88ae65398e87cfa918afaa643644837fb33cd44ba10d21b5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
f61995d2d032d45fa440bc1c2ff5ccd5

SHA1
01aaad50a92a121e45e7cf2ba4f0d7ed50022bcd

SHA256
7dca5560ac0bcded52aa05d355fed5640b318fcf261ee9c13bc4b736cf40d24c

SHA512
7f8e4509c0283d35e7e0e6b2fef44e86cb9071a5cc195b2351950045883694059439bf75bbaf35d9f19bd67ee6fc109916f03902eac98763ec33937b5fb3817b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
c1d2ec3f33d0f878c6f0e3657adeba28

SHA1
14a507b331bde5e0066c4a0c24c98974a8695f24

SHA256
f2fd3021c0ef16579c801837555bc6377f0459f870bc6dcb14ee511972ebc555

SHA512
6cb61d4d12d2559fd4c9e03ac871a1408428326a70a2aee55409a4a140caefc89e0d910f48dbcb42831ded19fa8978651319627ee3ae7cf09e9b2d3fc1e04d65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
ceb0ed2b9717aa9b7386caa5825a8e23

SHA1
b7bded7d682ff301c4d649f3008e1f4c26ef7698

SHA256
99f74af5098a4cffe54b8b1559584fe89a237ed2522f1bdee2f3c37bc113b0c9

SHA512
b0cbd4ee9897f26a63a1f0b9a994889ee4fc1aaea6cd6a47c10b90a115cca47559d3850fe18cf5a224a2e2e19c6f9b4e900a3e71f8c824863f0c88c3f3e0fd1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
a8495069e75ef72a83601bc9289a48f9

SHA1
8484152100d90dc50c00d0c780bf45c823ed5c23

SHA256
6338406f92a368b6754d348ab8c7960d948f3b7d812f00e576fdc1bdf2419ead

SHA512
668ca9daac29210e7e14ee387c86979bf8b3db75bca743389db724bb04aa2d0f5de4815a7ebb9c395e460e7487ff19586c05273152df9c5470af5890906deefb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
58b1330528024d53f599810bc2b8ab26

SHA1
904c0be35148508e23a6c1b9a6880b8f68c59a2f

SHA256
3823bdddacd1df5be6b81e21197783731ab5302536ae8524df97d0811ebaf976

SHA512
8e8487fc07a877d1c3c348ae7eb1dea1ae4acd175b86fbfbb6bd27c490f0b72389f8b9e34041904b0fecc1b2f304bacfe8eb68f828a638dcfe39b67a8d04ca43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
963cacc2d081f42f42d38759e55894f2

SHA1
ff9c6cd08b4aec3e6ec5148b5de1874ede762d09

SHA256
b41722b3b23302b2030568819e0d826dab67f5a0e7e8f73adf8aa1c449d64b0a

SHA512
1475b08b12c2353d7c5f5f9e5494524f1f43273da8faafb73d8010b88036ae3d6351cd938f6c3562be26a857b39b483ceabeef890e03126128576877cd020190

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
a4adef646547d820c4b38927667a5aba

SHA1
dfd2cd350f175a54a666a2460457a63cd7ca350e

SHA256
4f80e6ebc06c013ff460838c7eabb7d627a30d9ef2d908bce8b8d15ad67a5ac0

SHA512
29fd757749144bcf95c5ced222ddc2a7baef0fca213a2c4450735d66c94f7e82b832527d367e196667f79d945a30c261ea93ae369439a65eb2dccd3ebfd77153

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
46f4397c86a6993784c7775d879f67c9

SHA1
13fa063a1fb73998fda194f4cbdf06ece3944c66

SHA256
5ee8fcce9506d27288588b3461a9e0d650d33f2a083fa859b73f796b8d43415d

SHA512
2e1044eaa6bad4db705815739eb730c933b36a024a581138aabdffdfa6ad157c084aea850518c017788deaf0e5113e5ac937f8ba0d6f600279f7f786cd82622a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
06fa9d4776f2dc33259116bfa2a15e59

SHA1
2475120a63bdc37446011b259d0ba70185b753ee

SHA256
dc77e074fd37793b1e48aec1899330d0b66fc47482bd97c66a95c9107f77678a

SHA512
25096a793c52e3b9b6b51a6f3a5295600a46fb524ba8f3af5d72a60568bf3f7d83335b0c603c6e709c8987c2b479f1c4e2dd786479483390cb15e63473476ee9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
e2152d6c6d4bf5da6596490d6805280f

SHA1
f0b11ade4f3b9fa985d715bd9a947283b350be04

SHA256
d5398862c55a33cea2d58312e725ed171d085df71095a87eb8a2387dbf3223c6

SHA512
4dcbf35febb27e03819690da3aec02c227f7122650a362a9aca6594516f726cb0ba1316ef9dc7bac7e0b7acb9710d9084855d1cb97cb9e9900816769d82ec382

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
1ece7e5e77a3418bdcb3946270d53852

SHA1
4665efd790b0f7612ae859dc71632e0d82dc9349

SHA256
ac0a00ff0dbb6281af2112317e96fc048245109049df86951f2154cc1bfac7c7

SHA512
07a9037af95e86c8cf41f77b4658465884a2cf054dd8e14fae8c5ead1f8bac9b5d526ca7cbe5ebb013c3682827b3c000922054c5816046bf7548723d82d8a0f7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
79b164835cc9f945b7ef602f61572a7a

SHA1
87d8c392ce17b327be0c566340be74d823fefeef

SHA256
7c9a3aeaff762598b025cbc1ffc4a4833b21106411519e7306ca05bf9dd05043

SHA512
5c13fa64df01f7f8e2d4502a102d26d84eceb51483c37f470b869c8e0045921ab381633ab151c3a4b06c90764ca60adce3fe50fb5119dd49a5fb988f67c1e7ad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
63bf2098327e3b616792b914510fa96d

SHA1
a0aedba0a941e0bd996866122006a5434d29ff5f

SHA256
1ded27d2fd5094d630084909e665251da5236aa18bb8ea1c7d1b17e52aa12c78

SHA512
ebb916ccd6ea87048875fe315a79141751cb1a2e1d90de895f08f74599c691e1b2eec500f27b75b26b379614f6fe00cf1d17a69102e89ed9941c3637f5e05c87

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
2f587626387b681546d08808b5c1d1ce

SHA1
d45b6ea3d016725c9d7cc800cfbc896da19ee3e5

SHA256
9b18880d9550d75424a4002bdd7b705c9a2ca0fe14180df35e68f80369335d7f

SHA512
abbd5a628cd4654fd032599c7edae77d721f361f188a98ec51f0c70d71713881fe6d7e2d3d92b244dbe5e6c860c976464ad819605f86704182d202a33bcd39cf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
7d22b833280af670e6c35ddefa880f83

SHA1
4bde6e5a7e3601bae1268ddc86d67d0a679179f7

SHA256
130f82d07befe6dd0126857a15b3dfd765e8c4f4302bb667735b6792f0ca02f1

SHA512
9c9ba462f45439ae2fb0b7936a9585ba3a62dc9a3256f6fd00f12f397e35c48e6b4bfc4e2cee07bb73724fc498340116070a66728a9365a59b6eee76539aff1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
11ba10cc36f8cf482f2b69eb7f4399ee

SHA1
e9f65fad6015080093507a46dfe8d66e496dcd22

SHA256
2c74e5be973629bf7e2c5b58c7c882857af81ff687f3ad67c13d0effa8c00218

SHA512
f4b6afc99e5d520d5f946ce5793d938824f0aaacb6912d493e2634dc06bcb6d734b02d05284bc5d2292a7e54e263d483a421bb0306283bf9867d907b2f0c81f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
0eaafc55adbe2f87ea35130962956d87

SHA1
d181acacfbfddc5d20766d0cce7262d4d0e69593

SHA256
b88b1e278a773adb4e36cdad511e080db06126a3a8a19ee17cad046e4ff1a0a0

SHA512
f9a3e5200b677571b12dc89cc621de36f1b9e77f93470c8876675ad0ca17317758d2b3266ef72973fc29749f9db51df5998c905bcde835a525185e367886cbd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
452fbbb412531e4d9db828291cba3498

SHA1
731a05bd354eeca48583d3adf73ae9d8fe2b9808

SHA256
202549b7973514dcf872e5f67543b64d97b9f3df3d2066a7f5eb566676d2cba7

SHA512
c77d915529c3fe152568f06b8acbe4f1c5273e52916a09ba92e3aa6a907d8c4ea5a62c255688323d9a03d31d0973faae2c343391dd6f9f1c8e2b89cc855aef75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
540bf94d80ed4a9b2ec5428dcfbc87f5

SHA1
d6798e98993b3d4888daf24b8f9fc8074176e852

SHA256
76ec719d51a45d2f74c4a296c88cd26efaaf8f0bb1e8bbc54eebeaa8dafb3a72

SHA512
9eac4e1264eea31d2c8838ba88110f23e1b2af2bca7ab982379fda1e470fa07642411a0e91ab581ab99d57bdfa3017724d1ab769517efb34f07a0a82a6ade54e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
45397509b7bffd6b7ef34fcd4e2978ff

SHA1
82b8ef17e80c8b8aeca1784ff831d974bb649237

SHA256
8a36b52aa3a9592568cecb66540f5c0c537b1e2fbe71b8c9157ac70eadf6b44a

SHA512
d4f60e3fa09cf4dc80e1db38ba7c90783a3f4f707c66d23ca3ac9301781219fe5e6688369ad17b4c825c4163c25e90d5c11a5272757eaa2f9ae30635f8dbee9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
4c919bf5064d191adca7e636dcfe08d5

SHA1
bb55f8d5d4519eef135c68e7bc3942ac02b5859f

SHA256
f09c4a8692120b987fb0b7920a4f2786d7354f29528b0ef1e43f29dc230a963c

SHA512
0b6f67265b924d1811b8e9605c497503b7ba39ea8e79a06d7c71e1b3c16b117e44aeae460745fdcb0734debfbad73652cea2c8f3efd77e41fe3a3fa097490ea7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
01e5c60049d9acf7027b2c2d09d5e1fa

SHA1
82060b72630c9c7bf492fa01ca16de9478ff167e

SHA256
67fc7a3f03ca1afe5dd6166ae26d3133aec6761e3f8756b8232a527a0b7cd3aa

SHA512
80a373817600366675503e3265ad8f537778654e8ecc2457a0fb78103114015ab478eb09f6921bf5037f4332d758684a74a2368ea1de94795c28b3a989ec7750

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
d1aeb7d8c943e214aeb4bcc244b6d376

SHA1
6267eaa31cf0ae9d70af8633b882c9fa5542b5ab

SHA256
80b5b90c942fc35f571f37ecb96cd348c3fc4710ec4d3a1a2bb83020566654d5

SHA512
f3bf3dea21a97c4ed39319cdeb630036bbf5baf7cf74e98a1c9942659be7d95e0fb45f0150c59a93b9bf2b3b27ca0149a944013cca6c96f54c69b79ab3979dd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
5ca36f7e7737e50dac5b349dfd54a7f9

SHA1
5ceed93b32080cb131c2b8116673b9ec109b8323

SHA256
d4aaa87e52c262726040e0a8858e2e61dc522f9bec275bc9cbcbe8e971202deb

SHA512
bb930b58a97bfaf7269f6361685edb3746ef6d2acf785abbc34428f3ec92e35cc88b57f592a1106a1cd602b6ea317ef19a625a80dfccf364262d7402ea624d8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
810c59505257780b29d351f2f22dfbde

SHA1
cab432aab83be20f0183166bfde96cd079b2fea7

SHA256
fcb479200af407ef6eac7d420f4496f970cbcbef12c95ec767c9d8531c6f7e78

SHA512
7496623922adf60084b95aec0d3d493a35ce0fe939a23aabafc24642e26ce045e332b30e831a0509d198ec0134fe54af5ca792f735924c45ab66c0a458236b4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
f7de9c0460cd466dd0d042ed55dbde88

SHA1
984e5e88d4325ae2484db6e7217d5d37d8f1a431

SHA256
cbd7a2a05484e5db9107cf404afffe39f8cb06103480fdbd98e5e2209f624d39

SHA512
9036dfc6bac92dd8819f16e0c63f7b120c4d334d9f2c9f4dd49b9f4e0485f92df93ee1bc944cb6cc643724df6688380e955e17db5e83420bab2c335a23fdb088

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
5e5f0ec374e7be311aca91673f5aebc1

SHA1
9a4d0948c20dda5edf066b183473dc3e62811cc2

SHA256
020b895f680dd78d5f27a263f93dcad5779f57505e3f8e2f6a081c09bc031700

SHA512
1ff058bd33317ba5d15ccdfa222cb1e00f61c5e5aaadc7d78ce0ad3e4dc52819c8e653e1b22f84774d24758787ff3488fe7b5b58020097298a33adc3bd071366

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
9e1952b7c3539199612a20754dcbf29e

SHA1
7c2173b2dee6db52ac53c248b1ef7e2f3cd84c2d

SHA256
1e526434f609e3f5f32e17b8c09fa1625527c50eb224fbe333bb482fdfbe89fa

SHA512
d788628dadc3baf9fdd9c2963648c552179fd6506886ee360abfadcb37b83bfe0996940f44dd4d0744aba7150472af44f209cae2ddc1028724595bbfea34e9f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
0cc44b94db0afd3c8a175f1cc2fc16d0

SHA1
fb636a28c68048d73d2c2fb40e494ebc74dcbda4

SHA256
63f5bafc3779591ce4c72898d4ebdd4e9611a1273e619c19775ab4686762e3f4

SHA512
1a5bf77e652d601f2a20cdfc0b4d05864f4b9fa0565f0774c5c2cd5719344387599ccf8047092e1500fd0d267dc5f5b5eab76a2ca45b47d8b011420fa5913b76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
6d70da827af97126089bebe2c1d01981

SHA1
e014fecdcd41b714e72aa37e88e585325f7d4ea7

SHA256
43a54581ee560dbf8b883d1ab8deca0ce04bab62e1af4060a28a2f3ddf8231a0

SHA512
2ee84b150aafba7730edc963d79c4a63f06cce3b687c36baf198644f9057bdc39ffa23c4d23e1de864d2541bea421019bc03504649ac0564158d0f8daff879c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
304f6310883469038e1c1b32234230a4

SHA1
2588f207af9550383f52ad351085dc840efe686d

SHA256
87ab1f177276c06cdeb1eda37f2898e3023ff2b4308722353e4c902aa4b507ec

SHA512
6050ed716c9176cba767beeb5ca808689ea67401a9d2be4ba92ab9ebf6736afed7de6fc2c2a39acaa4483281f8ed7715cf4799b5ab6e69bf8c8d0c17a426dddd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
b96fa2fd3bc4db5b0eea02f466a3873b

SHA1
213c5bfc97c78b7754dd746af20219295bd9df41

SHA256
c59821fd7691f778f30827986bd2a430b50d19c5aefc37b4045d60fd1cd62680

SHA512
1b724ea63ccdb2ebe52e816c925907b13a7f7f79c78e8a6b69ac2c407a73de488a10ad8415a2e817ac94c7a2fa61c5447ffe6136267d5df03ededb654dff9652

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
11de50f23736513b4471ad800b30626e

SHA1
fa25bf544b2403fb6bdd006b3683bf563fc29593

SHA256
90e1ec61eb02faf8357c67e7202af6243bc5a823c1a065d7385f3701f2593628

SHA512
7abc4797ac8606d850c76afe00a30b5296306a4f0cb8dbe3799e0edd1ba59f63fd380a6bfffb5e0074d37aa185070df226def81ae3c076e98fe938a045bd89d8

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
68b12274bbe9215ce0d3def26bfeef1c

SHA1
614725521f90fc96547655ea58a0b3da821838af

SHA256
3a38e2fe1e0b4ebebaf7f397c71f4fe501bac5d5faa88820bedaad37b42c5400

SHA512
004651669c02b6ccfea19bc5900830435da26183b2af9ab5ef3e24b9f192416c2855940e0674fbac1031398e4a6e4cea2bf0aa883684104ff2573e571e092bb8

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
5c0ffa2ab171de83ef204168846c3deb

SHA1
c4e5ad7a17cccb66a6c909f045516c4612d85ece

SHA256
b0a51f0c826485b918c19c3cab48aa399c700a8d35c7689df815c2d1e0bd49b7

SHA512
2aca2aecbc932becff947ac62363c11b5378159397c8a76ea06a539997334d252cb2ce354717daca578d6f7ed9033ec61a93ce6fc89933af2ada3171b69b760d

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e997c832671ae84960713e10c68ec56d

SHA1
30980738b25a4208f39ac6a12504667c012a4783

SHA256
48c6da99e7ff0634f51c8f61e4d66d8eddfc330faad750105365d26ad9765ddb

SHA512
a4b9cc0b40d4504d9cdbd62d55f0459547365a635c82e11e40cdc2348dadeea01752c887f41178fd964c7343a94939d6193705bc7bd2b257d9e16e30cca40a2b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
3ce8e45f90320341b1963bf46aad908c

SHA1
0007eb44823eeac5615c8b1bc158c4af07f658bf

SHA256
baa709ca51c5cfae51e64c27194a215e36e9c81db06dd2be4c5a53bd7535c9b5

SHA512
ecad68090aedba8afbcbc619a7c4fb9feb6a582ba5ece8697d4c2ebb63bb61a42ddc72ebd138bf424722c9cc5d00fc64a01d659186607991df3b628360da135e

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
92966d308097315ee55277cf45ca3ff3

SHA1
36746f9b3a3485c18b42bb1548f4c41f63e758ea

SHA256
4ee6bb43a2fff27bc495b338d54bf83ea6217a86eb36fd7558ec69e1356d73a6

SHA512
47e25c5fd3db5bd7b31fa7f634f841abff7c4266392b15afab1c83f5ba10ac61aab7ead6cbcd67dff459d768818a507f63b674f3439a088aa8b25b249e65d452

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
b665d6418ed63128c24b27b28701bc6a

SHA1
507bb3d9569f4ddb6648893ec29c14f6ede4f05a

SHA256
c7840cb60242b0e2939e9262185b2386fe3a6ffd95ef5b9ce9af8b8286d89364

SHA512
df99354e5bac50726aa579989935775f2056b5996ea6b894a20af51ff02be4be47b3618c5aa1528f33d16991ce303631c3f701effa96bb263248f3435805fe38

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
d46242c24d041d439dc12645bc63c40e

SHA1
bfc1aa449e5710f0d943d049b6cd52034a158411

SHA256
6d00f1ddd347e12b2911f97cec002441cba97013e238ff382a0d8e1e8bf0cf49

SHA512
f3b7b4a093f9261f2c3edcefa1aedc1ef21085ff68edbf311d8686e9db74f5b415e9c0b2edde980d577dff625135be1880fe917c5bf6182610423d168b5afed0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
21b99bc36d97154de95df16dde579e4b

SHA1
5f81e3eb203a69cef05e81617c1e3d2ef24705f3

SHA256
696e8c959f79a95781bf6919bf853c1f3dc3278ec267d36d4ffff963f540088f

SHA512
d5abc8a943f5c6e5c5ee8a6b1c67eaae1d56b9fb2fb53ba31f2a6d544964e0ec221a55494b35cf580ffffd0ae9aadfada12aa626aff83b62313b932cae39174b

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
4a97bb6ecab288c3fe8b8757615500ae

SHA1
5525213e395624a772633f4436a936ebc53dbf0f

SHA256
70088da6f89b556a2dd9cd513bbf7ddf38377440a760c1ce943072a31bbbdde1

SHA512
3772b975cc610d89dfe62228a43922a56944d2f364165c302f66aca4806b828f6246dad098062a571c3037456a57c427483bc1b81e1966f293b17d974146fbd9

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
b707b070550863383e13d44a663641fe

SHA1
4fe68bc34364223168a213621779826370e2a35a

SHA256
ed2029a7ecfa29e4e0c21f70c6748e22a90e0a21bc2949a84539852c7f816fd3

SHA512
d5d6d16733d53ac1731841921beb180e534bf5613bfc6cf33227515e911bed6c653d0511a76d302a3147c89a24524c9c463a3b39b26eeb835991b8c25b7417fb

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
aad6be4dace1be14482e91c6b0bfe232

SHA1
837a3c4005d84b9b82a824917b80e285e65a2293

SHA256
81631e9aa573a56ea6547a2789101fdb9a9b92eafd16ae96e8e8ff64bc570a0d

SHA512
c57bf9b056bef8b12ae41cdfc55edb93b00cde3d0ff87a5b99b24103a04a6bbfcae98a810e9dccc5180ee884ec91b8d96ee1171f53b0e941a7aca20774e43041

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
122ec6903ea90a074ddd07756da854c6

SHA1
d077fd25c9bf58b15c61624d572a71558d309ec9

SHA256
b337f738d563414483d91c1350c272f3ee4c2b6ab793a78fd279166f4a607e7f

SHA512
a5bfd04a2fa7cd4dd99105249a3903f0ab9956149d9c89a95004e6e42e47f50ef69e36f58db27b0ea96ed17c841f40bef970e3f5fb535b53ebd54ddd8130abb2

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
0f3b491b2d28f7477fe07ec0a5301d59

SHA1
389f85b90f2e68aaf51fa935b6707a1c99dc3c66

SHA256
bf50c5fb240530f7214a1a0f9fbcee0a54bd9554f1f75b62e0e2b79cceef0696

SHA512
02dea4334b01648d32c6646ab860b62a4903910463353772209c830d7b16b4a2387b03aef80601e8f4ca370ad2dfdf0901a851a6939a5605dfc59050385629d1

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
bc4878b6cb0be3dc6637dca34e36840f

SHA1
4956355957f0b8136890b1999d18cf753caa35a0

SHA256
1602b58dfbec99df00bee4a0ab235808a20be77ead04a5a2bbc0fa725c32e107

SHA512
855cac1505943e664e10fc8f7dce8848b1c5c34358218a1ce70e91c3dfd7d2666d244c5c431851c6d8668b1cb8cf71491f212290ae3d57ee5417f54dae32d984

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
7d4e7071c9f181e9796b3828bc6fbe43

SHA1
a479b971c25f8f7e32a9da91f744796338c11774

SHA256
38303355185215b491c14b64bc93a26109a8371680134b092129abe8ce02219a

SHA512
39b92b2316c36893d1b8160c44521023ca68e538c1f989ab242aa7b480f4fd29db782064fe91c3de9ce237b9eeebda400b8fae1e68854fd4eb6229d6e00bb0d5

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
16f59390a5d6531a817660f4c41ace07

SHA1
a1869c0c4e72d3ab357c155fb1f72cb6d4587fc8

SHA256
9d39cfc47c0a54d7e8b779ac63357854f0c29a69ab5b2663bef43d15648a14a4

SHA512
a4caa83dcad7b88c6dcd931421984cb18f207d3496458c44d107c6d53e0e9b40c435b0e89cdc7d1a6d300504e5930beae7cbbbc43c781f2e8f5669609fda4877

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
9d7a008681527433151f9b94b364bb61

SHA1
dd19d0490fffaac931535c8ffbb89f399b1ad096

SHA256
9bdb6488769bad542c4083ec4ff0a74798183f13ebd17d696438a49afd960ebe

SHA512
e28197bbab65209c4e62206ff20377518aa986fabfaf11e098a9d4c1b9c13eb2a85258ba97c622f485f260b16869735a025aa66732e327273c26fb1cd70c8374

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
3d65fb82d102945af8c1bda9bbe59954

SHA1
4473380227a8331980380ab174b18fe4f7bf0399

SHA256
3558b1f210a2a9019fe27c4d74102ad65da8f27737b9fa2e69973a4518322dc8

SHA512
5d9510991bf0b958379c31b73bcf59a75011f58a5629aaee898a3ec9728027c3baae3c90954014b6266ca93edb866609e7d63f1e6ee5dd6efd41441692ee3dd1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
4d6f2dec80d6d873fe5f2f86d42deaed

SHA1
73e0a311a1ff76d0cba4c36f300f37c97bea5fe7

SHA256
d54f65429808e5b289129bcc8503c919b580dd52e3a5fb012154575ead3dc8f1

SHA512
b4a8cd366b7954ecc9f39c36cac22ff5c2c9c6cfd72cee247ccaaa22985136ce5bbf3ffc82f34b6fb4044d0a7907a88395605fcce75f3f6ea361485d5ea081dd

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
f69ca6e1a76f947642043056a0d7727f

SHA1
772326af2840dd8b6ea9f188d7e867330537e958

SHA256
7af3f70d42bd25c6d216efc60cf13a89118004877dd1b96df538a318d02dcdf6

SHA512
955f7b6654329c28ab6a560222be54ec7d36a4462ea46c52db31afa1cd7cdf4d3a2608e238b14ff7551e4b9cc1f574b53d3132483b12eb7a7d405bafce62f266

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
b1ec8cc96fae29526b7daebeee9a4c96

SHA1
a2ab6f6ddac83f0393fb819306f9060e82ab5833

SHA256
95284dc1d265250122561f985742a2686367b3078c22ce451d14e708e7ffd8d3

SHA512
26918b38cce29684e72e48977ed6fb6e1fecbd61554a0470824a5a7ea8436422ea1e237190a9cda6c91624e7590d1e72d34548a9cbec00d5897870941ec4fc54

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
5c25a2c4889923fb2eaed1a2594b270c

SHA1
7df8a18ac64b61e4aea7c3ab44d7c85bb859e6ce

SHA256
5cc08aa528fb24b2294a5702a1fce17ade94c2556460558927d665c8f1be31a8

SHA512
d02cc6e239c1bc5c9fe1791b3d4856108953ae3bfffb61e1e71533324ec76cd8a58caa4b98bc876664a1a9026146afc252a0add8f176e38f5a236dd7996c5430

Download Submit
memory/220-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/220-128-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/220-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/220-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/364-643-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/364-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/668-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/668-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1096-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1096-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1220-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1220-653-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1428-180-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1428-647-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1576-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1576-36-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1576-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1628-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1628-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1628-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1628-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1768-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1768-649-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1788-59-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1788-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1788-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1788-47-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1788-38-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1804-432-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1804-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3156-200-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3156-648-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3196-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3196-451-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3196-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3196-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3196-102-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3196-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/3468-132-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3468-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3524-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3524-654-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3588-646-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3588-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3588-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3868-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3868-202-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3868-91-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3928-103-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3928-223-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-75-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4492-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4492-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4520-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4520-655-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4548-57-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4548-50-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4548-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4548-51-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/4560-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4560-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4660-652-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4660-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download