3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
Size

1.5MB
MD5

ca5784b6e860b60c37433cdec5a0a3a2
SHA1

1f24bb1f48967297d77ede6c5b2899065d6cd410
SHA256

3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed
SHA512

f0697e5ba43b96284f40d3afc29880a62a9fb769531a640563299747041bf10fedd127cbc3eb05c1ae6fa8eb52557f5abea25971a2d656b5f92fe8f6715f6b77
SSDEEP

12288:82kp/SInr8vv2BDeT+bVYHTb3FRk/rMNxaXqqlPbJKTGv5DYFXOBnXREHa:Ja/i328ab4F+rM/aXq6bJfBUam6

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3044	alg.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
4460	fxssvc.exe
3232	elevation_service.exe
4476	elevation_service.exe
1924	maintenanceservice.exe
3176	msdtc.exe
1168	OSE.EXE
1724	PerceptionSimulationService.exe
3144	perfhost.exe
3576	locator.exe
3368	SensorDataService.exe
4612	snmptrap.exe
2720	spectrum.exe
2988	ssh-agent.exe
2684	TieringEngineService.exe
944	AgentService.exe
3652	vds.exe
3924	vssvc.exe
1828	wbengine.exe
5096	WmiApSrv.exe
3024	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\locator.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\System32\vds.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4fe7419ad45b396.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exe3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe

Drops file in Windows directory 4 IoCs

Processes:

3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchIndexer.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4ce58dba699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004abf26dba699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f6f72d9a699da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a6bb0d9a699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074d2a1dca699da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083331ddba699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007e7efdaa699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2dcc8dba699da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe
1064	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4604	3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
Token: SeAuditPrivilege	4460	fxssvc.exe
Token: SeRestorePrivilege	2684	TieringEngineService.exe
Token: SeManageVolumePrivilege	2684	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	944	AgentService.exe
Token: SeBackupPrivilege	3924	vssvc.exe
Token: SeRestorePrivilege	3924	vssvc.exe
Token: SeAuditPrivilege	3924	vssvc.exe
Token: SeBackupPrivilege	1828	wbengine.exe
Token: SeRestorePrivilege	1828	wbengine.exe
Token: SeSecurityPrivilege	1828	wbengine.exe
Token: 33	3024	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3024	SearchIndexer.exe
Token: SeDebugPrivilege	3044	alg.exe
Token: SeDebugPrivilege	3044	alg.exe
Token: SeDebugPrivilege	3044	alg.exe
Token: SeDebugPrivilege	1064	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3024 wrote to memory of 3424	3024	SearchIndexer.exe	SearchProtocolHost.exe
PID 3024 wrote to memory of 3424	3024	SearchIndexer.exe	SearchProtocolHost.exe
PID 3024 wrote to memory of 3584	3024	SearchIndexer.exe	SearchFilterHost.exe
PID 3024 wrote to memory of 3584	3024	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe
"C:\Users\Admin\AppData\Local\Temp\3328658147fad229910ccdcb6c73b976640283ce91e281b988e25e886adbefed.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1064

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:640

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4476

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1168

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3368

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2684

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3424

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3584

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
fda87f459b6a0c9bcfd1d6feb8a8b6f9

SHA1
be59a9c192c5efe956af8d70cfe5e8db38708e23

SHA256
75fc1b23fa12422ab6585b3db4fdb59e88a64498014713ccf4386135061cd45a

SHA512
ebb517d64624607c7c76a4b7265afb2b7b03b043ad86fd111bd753319e1ab8d61d643909773efbcf449888e90ecc75b8270c88a2143bdfed334c099d69825caa

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.6MB

MD5
ac53ff251ddd788c154072ffa479f06f

SHA1
48d75275e5d2501f64bee2bbd3ceec439f969607

SHA256
18297045f4c602b58cc3f58f6d2a32c73836319aa25211a1104d018b8b203c36

SHA512
b0a7e1efd4888666d3d79a55d3c195a9caef7ea307ed64023a4296143f8d83492974454e90448ff787a26cb451df17de6f1077a3ae6b70882f0704888c987afa

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
e819d5c8831783329ab11b0d456c2233

SHA1
efd489cdcecb8ceb7cf83449f24946a948080b1c

SHA256
842606465079cc01fb73e7ebb1b1795473bb17e939d1ba298e1b67354eaccae1

SHA512
07a180a83f142098bb52b163f85ef93fdd57b1a21c3fbfbe0ff11480fa0c7b309742b4dc7f8d585e5c8a98fb8e6e515020e43f6fe4f845491bb1659e5b7a08f5

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
f4341b41473e1ec16b227d475466a872

SHA1
de17f9bda3e90d17e24e62907ca89181ccff14ba

SHA256
2ae8c94e32aeb6f1a993037f61d17ec4597114c888084deff9bf7dbffcca31a6

SHA512
5100940bcd9a39f2cc6a8f5f816ac295459a17db38d0ebe5f55afa735e91ecb871f3158e7854cd87b6b6daebb174fceb3dcc424f221d30338fb97770ef28d183

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
1764f99fcf8949da435d8faea45b1fb9

SHA1
6b5a4dbefef10e5b6259a3f766aec2fac639c459

SHA256
d72cae02b58db48cabd5f57f7461ae70f5a01a8fd088d248acbd54234d52204b

SHA512
31b91938f42c02b0ec283e39c944fc6f28925f7a9aa950f6bd781dbc35f693dfb07067bb559c6d920fccdf63273b0390991b21c62c82ee7d6ac9c6d0d281ddf6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
f9a5d694ffd260d82706a5bfc71c8a79

SHA1
9e76e356a7f4c288ac93050445865bf041d287cf

SHA256
2abf0538c33d9b09fec9891bb46295cfe6936ea75c9b2bb9c138d4a650f5c857

SHA512
67e1243cde9a6d762bab328a7ce4e4c74daf98dc776dab277e4cb375debd36c699dc9c1bf347e3c7a0fb21dbb80773322d7d2f2f55f2d003dfbd5afc57b6ddd2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
95af66da9ce93f64898f3b853312c728

SHA1
88a1ac0c2e305dbb00f486be7ef26bf897dab681

SHA256
38d55438f4a0539112a32e20e4d8a0acb2272d21070034f1e189baee4cd31c16

SHA512
55a922782f8b97c3bcf2216642e21a5818227d0505c1c4c19102c1ebb7946b10fbf528b42b09e8f000bddc466b704facf0206eedb306071d9c71e962d86ce994

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
f63b44ce4c3e2a0ee74e72e548a7c338

SHA1
88a3f19d2f2dc72fe8567688fc7cc7faf6228c66

SHA256
63219134a94525c8133aa2240d984dfdbd1c12fdd7ecfb455de6e28a52fdee3b

SHA512
d2df1adc3442835399abfc808e171cbee523cf187e2d7c5f0f98b7d35337375bc9dfd7122bbddd56ef4a3c0ce3fe43bb9ce85e919f443fc4cb82b64980460b86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
99bcc21cc8e690e729dd5440fbbb6541

SHA1
621c0756c5a77267841c9c392d1abc798649e2bb

SHA256
45c8f614613ae70ea92a1edb3ab602ba2eefdc9708a4b83a7a77479d3f4fe166

SHA512
f20b99dec333df85e46d3198a8e5c53042f7ba46d142ad8b2906296c0494ab03a418d451d39a85b0dbeafba23bd4814c3f711c53b5ad4e477b5b6ce56535cd67

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
74b40127f3b2dae6e8ccddadc581fb92

SHA1
b98b9e27e3a075c0f4b7d5e43d79dd53913e0669

SHA256
1fd3d3b927a3529c48ad6801b2e2643aeb6e4d605dbe00efb1cfc5366f101ddb

SHA512
cd5486f7de7ad1b24ab885dd1a44bd19ee117ede1d490f85349ab1d5c2d3c1f43fc1f8a37e8254c7de4460ddd7da5464d8bab3e1216bb74af849c4f04cc02cc2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
0b50f3a0bce042a1fb5bd8603c042f83

SHA1
55a2b92dcac03bb0aca16eea27ee70d8de7c8770

SHA256
dea78e88743bc913565cd8f5d02ef45e638a4f1cf943d0e090ac13662b44701f

SHA512
fb249fa8c555dc1b56b2297aecd3943f91690394207a7e2a88ec87aef44c84fdfb933fee29f4861743977ba9fa33f903da1cd49d85ca9dfb0734087510349d69

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
f1795c37de90614e5b94e268ce5fc15e

SHA1
49f8ee069b7e799114c8471e3598149b877fdfad

SHA256
1eee5d30f72e5c556a6081d20fd7cc43338a772167df5e00a0197947f9df289d

SHA512
b83af1bac9e022020c42d1630b50c35c28ba729f417fc4ac82783c06b9084b47446d53cc1cb1cad0efedd12605847bf5d356372f82ce9b0aa4fb253506d029e9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
d0c269c63daf029c461acf74969319ae

SHA1
83a091e23a29b2aff62cfe0b400faee4f7a8c444

SHA256
3929a16496cf1e028218568f5b35777fe48ff8465a84d06ae322758d9ba06e3f

SHA512
3e6e4b8d8eb8c932a2e9374c8d69fa273fdc0c4aef1a9ee06683a586c0969a4abf61d100d6db50c87605c8145e8e06cb9467d583b10a234ebe5020f353180ee9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
3c935e9727883b9ed13e0a0e6b581c0e

SHA1
5d74c1a8f1ac93eb0ee545b2d68d4d333012ed12

SHA256
bc2ff63674d8e979406ba7c1c863c943843b94ca3af2afc0998f7cf4a45d2aad

SHA512
d4f3fa93fa3140a3bd25bac058c2d2f6d2f49e97a4edf1e751a53016578008601d4ddc5d31eb31fd63e86cf725cda27ca048af13d440e45c959764d8554c558d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
b2280284759e62aa926de6bfc451c638

SHA1
00ffc9e682d7dcd9ef7a08683d6a4bb5c4fc8b22

SHA256
ed5d881acb12ac4eaa6715cc75e69a28fc96e78e76445ebd71b28d94c98bd78d

SHA512
72d07130ecfd6a260b5cb874979ae3a6224057d44eb9f39837e1fdb988672aba0e91c9f0c089dd67b7d1b0eba72948cf3f77700258debe1fe5d99fd76ad4e917

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
7489d9d0e913047c67666a31903eaaef

SHA1
47e39897b8c0faab036a91c970449f66bd335d7d

SHA256
e5b11bbc470707ca55234b530c9a8b62953c627c9de9e1db696bf8871d3f48a2

SHA512
9a4726623e01beb8618e7afd42f3340296cb724168de8285cb4947554de0e4550279144911053698ce1727644295bdb32d39d198d1bf18de6927a8c4c778fdec

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
70e2f1f56d6f386fd33ce88722445649

SHA1
db8ddd3ff61f9d085aeaec7eb3dbe9e96f4684ed

SHA256
2ed4be35b2de6418266dab7e14a2864c6cf293199418854d2026b9e430b26e07

SHA512
0d6665ee57c5e97af5daff2e996912599b5e1c89fcc1ceaafa8f933ed1d111677616bee062e1aaaa2ca7ae17dc64aea889ab300d0536a5f87fbeb71353ed7792

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
fc8c1c8e0ae4afb73095db5c1a661f61

SHA1
c2b5458bf36223c7e4c65fa47a5507de01e31f9f

SHA256
87f4932c85dac5991501195abeca778b0df3901533a3e7ee634bc725769b3bd2

SHA512
539f1653cdf2d4a43805c6785ec8ec7cc3a0a6836d0560585770f88ba840f9d270c53e34a9976ca01b52bce63dd7e87418a647a6481c8e63732ee2f95c40ae24

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
30713a2fc7a23c1d913230a73b5b9461

SHA1
4ee99a3304066a4e8292241ca4496e5125615b97

SHA256
2de3ebcb1834b0b4e4f46dbbcf6a64021a93eaf0e8a73128c41201bb7a4d7833

SHA512
7973bef7939e1011fd931117306909ef31b8fa55309d640d116934ffdfd055783284a1942339d8fc15ba6a54a91cca0a93cf4ec59891f6dcc2548061936f446a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
dd2635c0bef9ecba05256762131b32fd

SHA1
a472ff2c7fdd9058da8fb2bc542f6a3d5616d3d1

SHA256
a3401a008b91fe6e51af6402357918adf20b9bdaca28fb0137ec2a08cd91750d

SHA512
62229c6d5923246b2a7062701f9093a1d3f2cc3bc164b25a229e777eca73f5abba53bb838d527b5762f85707c22119bf9b2f5bd7adeb29044fd2061dfbe6ca96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
64ab06fe1790939740bc0d084e5b633a

SHA1
5c921eebdac0b4a1e71475535c5088491ea3dc6f

SHA256
cd5a6c5e7d892beb0e57486dbcae0de97197284dd2a47e187277a2a5734d19d8

SHA512
2dff27e54a9036835dca5506c269d5af807da5451467f864bd7c94c02603167c7e22861f71ad70e390dd47512d79d358c84c235b7e0ac95c20a10b56cfc337e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
25d68d30d8504243d876452eedbcb41b

SHA1
1726079de3ee7f456a1f9032eaae96a21a7aff9c

SHA256
2a6b293ad3700ff05f02c21d2f2f80198873d642ad88e12a22ea8c5f10d8b159

SHA512
191fcb22cc83f59c68895beebb727a60a158daf76af8411d7dc700ed3bfa16fd829defe565720b880efd0c01463746cb6b36fe0e13eca84c264b87d4e95305c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
124bd122155c54e9d6610091ae7b6347

SHA1
3427e1a9fe537c55c1bf2c7c3780dd8088ae9468

SHA256
49930a9329a0d5321be933453f60e604297073d4260f3ad8f0cf5469ef2fbba4

SHA512
9ae04685da1e46d10211cc18254662671a5a122073a44ab72b7e6ffdd0cf4e7c544a748e648634f9162be3e0efd912519d77527dff4d883a09dde745ebd1c67b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
2f3a669d2d032a05390a2bb1827e238a

SHA1
086167b3114c3d21a0f8cf472cee1608522cba24

SHA256
8c12da73b8e47c1c6425f3b1132616bf242a73bc868f496282e984197d7c93e8

SHA512
0117877fb4f33e9b1772364dc5a48f14bebd9d79fc272c15ed6757f2197fb6260d02f2d71eca6f8f83bc3c6e44aa5b0d5b92dd895ebff716e30394969a594fd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
26dbb2fed16b88f2e506d973d7c3702b

SHA1
b690159862a42e1f947e09b8e0624890cfd43eac

SHA256
6a996c2f24f5be71d7e748da0934d1c7208f3fa57eeb84765cc0f74426dd1e87

SHA512
e2a5cca602eb98202e88938fc74c96f58031c14ca9e7a78d4e98157da90994fbaa7ada7a7309d74caf4842a0ae6976eb7dd56afe566d3c81411070b450ca4863

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
a5481b0fcded8cb59e7926ce62e7cafa

SHA1
0c736e8800e3f82bcd59ed754d5e4c605c67ec21

SHA256
9379c1336567a67b1169a650905b299e8d6c9d3c2dfdac221dc6b4db12593c56

SHA512
8a6cc8eee0089940647c5b3f3d43ec1074fa057683229d56182324534afd5d0115fbd8e05f80e0d9e137586e6aabab8e39f0fca50ce1d7e782b4f1e2d3987f46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
d7838820f88ff43bbf990ae2d0231338

SHA1
fc4096978344d1014821a26a6c9ed70311b391c9

SHA256
611513f1f85e0a625d7b5a6da6e9cc98c96d77f77bd28b052a7f598529ac3781

SHA512
3f3daeea4a1cce232052194944a223ed7613233e8f09f05b4b5d2353efa260eae6004eef2fd9f19ff9397c7243ad624180c2c37c15f557cb99166afab6d4e427

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
1632582b40596f2c3043c84a1b860c59

SHA1
d0f91feb3bb575e11b34c48e23f5b2c6232ccb12

SHA256
ce2b33e97c5b19d9781a873c9b11d91d664a8b00c9a77d681b36129615ba0ddb

SHA512
9733b36dd45e25b39ec3bcaadd872a0bf27dd0643c648d95c6e705a7d263e7b2da42666f741d1f56ac7161278ed51750844902745ad034f0ce55916fd82f881e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
0e81035accfa743488e4e604029fdb99

SHA1
76d17b06b144cc20dcadd2442e22370abcf3c0fc

SHA256
87a46a3456d16a4836a8157bd2a9f20b53081cbc54e5870861bfa2f0a479ba5a

SHA512
3c58fd8fe1aad2d7b87e07de04a829d374999084e0dde463e59d65880416a9beab8eeb932baf293981a18749f11d8cb07384ab6a98fa805f08cc00afe391696f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
60ab017c545df08dfdc4e8b078b4f881

SHA1
a985306cd75dad0446016249cb1d750159a902a8

SHA256
f7e86c5b1d3cb9e62d262094c4a73f158f1c4efca42a40488c06c74c24d5f43e

SHA512
14cfa1a3fbab413e6c38014e2aab035d77a60d0910de5428f0adfeeb80c03e92ba938bbf7cb580416937113b929401c3b9056f575dc1a4007dd2c48eb2a2fb85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
9372f33581c42cda53c7eaab9b91b5be

SHA1
43cd6989f520d3825f57c74dc920ad913e84cfa6

SHA256
37d9488d88087e9b99a05c6686ffdd5af0ca7325008dc0cf3c349162aaab6d78

SHA512
8d35da265b34cee068eb858d5b0ff5b1d3620926d44cd799642c8b50af26ab55beeabd0e024098fbffffc5ec292c6251ba4b4db929ace056dc950a9bf90a8811

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
4d06b312d50dce0417dc6b2c99c694a0

SHA1
f66a5bb231f7319064695624ad0bd70c0980c26b

SHA256
a09312c53ef54b3aa592cd9e43452f21d9fe1ac9e92c3b8a99f5bf63734482d6

SHA512
5740b9adab8350862c0248a474def52dd5ebcadb0154b70417cc5667f5489729dd2f507535adc7b26656d1f7789a37c99c5e8cf2a6a0a7e8415de83b0739fc93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
010c97f198725b5962ef209dea8aa95e

SHA1
684d3590cd442904a99c09d745421a2338561ee0

SHA256
4e742615a2c7e21746b2556f16012259c4ce8302574ee3ed08031aea5d30ed00

SHA512
af5a2b5d65561d47a460bd4d2010813be5ba6413d509ddeb83d893630da29ef5725e9c0aae8c28acd277a517eee34d87fe945d801ab2cf70a45f46b4779f539f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
0ce882c6e142fb0407f753d0a75aacdb

SHA1
b66e3039ec17fb2ca5230f0ad48fb003b275dc8c

SHA256
0c4fde68b3f98f08464aa97036cf7fa9b683dafad321b7d10aa8613576bfec33

SHA512
a3fd4efe93b34992fbdf9e089147be6ea5ee9ef80d9ebaafa0f73590dd99f398d091d5e1465134e3acfd1ff477704982ae8da2f2ece751f3c83e86c2097352a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
33f32cf2a56cb20d23c1491a29655f81

SHA1
7ac81862adda7bc5ae91cf32804a1a7454c7a9cf

SHA256
2e847ef477c3455578bca9003fee3e12465ee88308cc1f186ae5111a57ea33dc

SHA512
840539f9b1a954afd5496ec5db5db0f1fc419d157e2116ad8c62c9f288c9db66bfa2aa1994d311460b33f072cf9c29c0c72877363f01eff6a8285bd0a6c42e8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
6309b2f995625bd040f932157ee65c6c

SHA1
c977928dfc5092c248245f443d792b3a5bb935ec

SHA256
a9b4ad52e43018849cadda279ec0fbaeba64f3bba04653df716e02a3f389e956

SHA512
5b53ba9104e6a1e0c45aeb4c48d59c9aba2a8d470f0dbf67647f042f141ed580d8477bb83a1e1d8a9f7c13b98ac4ce4b4f56becd689a66d10fefd9dc19b8e304

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
449a7d87cf3f36107d61741feaa1c4d8

SHA1
e46fc063eaee8f2ec97b6a43aabc36c5ba3a7453

SHA256
948dae87bd58e20bc1505a7c17a002114ce160fce80375bcf36ea3949410d7c2

SHA512
bbd6de7142b4ae65cac90fef5dcf850494d447276e070da865fd165ec73a3ce7ad3e684941661d071640f97dfbfca71c99e734ba43ae22aea2e2f7ad23c67284

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
94d3067dbeabf463706d8a9e608315ce

SHA1
43c44f1ba22fd1a13c7826cf0e3cba3ce16e6c4d

SHA256
e55816d583250a1ca0392a494fda2cf71f648e002bacb2415ab7d373f23eb7f4

SHA512
0283215b0928fbac6a31be1893cfce471e32e2e2c69228d762a7c6171f7440a7224352cd08a015f8a12d4d7d60b0c5f9ac9e4594902b32c100e7e163c98549c1

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
08c982ad0e66320509805438ffd95567

SHA1
98d4008455d537d5a2403931d6e4ca0f76c78fde

SHA256
3e25e11ae9254e78b99eed76d0bbd059e65db716c3a3a10e02a07ef23aebfccc

SHA512
0bd392f6a478415c39f6d19220b12e5ef9fcc6102773599503cf2a6e2cb2213f2cab5d0d6ab3671cfe6ef540a4ccc1ba396e9e210bf376d82d9b65e54e651e37

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
c418f7403e2bc854688cda494d20f8d5

SHA1
10c704f5c581e9d37963b2a61ca18c174e387340

SHA256
fced72703ee583b68bb6fee3445d935cc24a399d69fef7af0614218ad0a84ac1

SHA512
5d6216794a7656e1dbe52f12002eb4f29213d8f1de4001f2cf8ec37adaec8628e57625775bcbdab444f977f351071ab4954e4f63484f4ffcecca68d11248bd0e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
c52510cbce0a080dcfaa030d87319898

SHA1
feff7b45d76267218c2f2e16f9d6a9392728711b

SHA256
cbf30af9107935521e3930618ef198455b5547e9183d65ce3b9c483c3cee3300

SHA512
b58d5999ab7a7e42bb7f914816ed63b751bb7266dd8b4d749ca79d2a441f5ff92fb0e1de7686390cd4f133109960e7da24652df27c07e079ee1685581afcf1aa

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
d88a731ee9dba9883078354aefb63b40

SHA1
4a582a0d24733a50a5fe0e96f83fe212b5e8c283

SHA256
d2376fdd942cc12217596ff187ec490654e1669dd1d3ec1df837a775c0759895

SHA512
bcf7807c78962ce56a2dd4757ec017caabae7dd437a79814cb235b414ed53a92c59d702d25b7accbc305de46e432dd70c27ac5f5e5e473c12ca433d045df84da

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
7e9714b20630472b06f9550d91f08c30

SHA1
bf1b9ac84f81fe35afd13191964eca8d3653647f

SHA256
6654d44c78d9f0061c888f0844ac0e14adace66f63eba70ab122e5f71065bcaf

SHA512
811bcb8852ed8078629a90d99ad5b56813512c00ff9e5d073db91b7fa2f129583981d1884ee458172862edf8ab10b9037286f89a516daa27ef40d99132f620ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
f043c1c1bfa13be1f3c0dd52ec19c150

SHA1
19b92f68dd5a30068e232e20f3c1c328b210da4d

SHA256
57604682db45673d63a063b2d9c0b4ba479a38293ac65d89e6a4243171e311fa

SHA512
c176580d0e54901a26b49ca8870ba96f01575037c39b0ac4de2b813894e5f261e09ce60524a4343e7d72e329b3141f9521b62ebfcc561769ee5cf8b1d9296e19

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
6f80b4276bdb3706e95f15d19afc61da

SHA1
b784242887728e8aad950e1b9a80293a895b18a6

SHA256
f9824c9999c6b35fa161f442718c58becf43c963cc2aaf0897ddd135c7d394ab

SHA512
9370220e99d6f30c7da885325e373c48c0a5f871521db0be5dc3caa9746f54817d04663c6d49d4a1d2cb646505733bf637edadf59dc38f109ef8562a251b9d1a

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
1d335e5c5f3c0eadd15e6d00ae0639a4

SHA1
e0aa2e586be626c7126a6d056ec5dc98cef6de38

SHA256
3552f434de5b0b8fa82014b3b9bcaaaeaf7862dd499608f856c3ca5f9d6efd50

SHA512
3f6fc69dc9c114ac15ba034f1cf52cada9cbc9aab4cf7e4d3c096b9dabef2360ab13e75348dc05931a89c7d1649a3885dd947a5d01a29b7eab25efcb6133af22

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
24933676aee9ade8f7dfb9a9e1966580

SHA1
983fee8b67eb50cba90fa17a72d18b989ca1d406

SHA256
161def50f28c720c365d99d9d7bbbf7bc5be9ce73d2e82d28bd12ad998a88fc6

SHA512
0f8db8c3c39e7d21a54e4d07bdceddc81a268d76a97bbe01b162a1f8b24917857daac84ca7fcb89c3b6759a2133f660ccc225b4561fde2ac7b61eaaf3e0c3947

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
cce2d3367e9e4ac16ac82d4a9a293c6a

SHA1
74eedf2ca8e8b066c7da0b9944acd3c84f770b20

SHA256
76d11243b63cf8bf8e95757528e61a21c7305a31b89b4679bce3a985e94361f0

SHA512
0cad6001e97d066dfc22ec859adbccc0f3bcd35c061575532de7a94ab4aec3a77b7fc6bf785c03a6f56fb6cd2ceb36c971198526aaef9dded29659df57ce1db8

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
1b22032fd3bf007681bfd4056c04c191

SHA1
5f402ceb4bbaa6a6e30a96de94a9895c4e588648

SHA256
35c904f0ae0f78c6f3440c484a6b65a8a14a80c5c5cdb626462af5962c71152a

SHA512
a29e27eb7789c3a24648948e034f84e923890e2805edb9b05f82f53d4570b807ebfee368d57d133305bff85ccb8f87412f0f8221a46bee3ece34e997e451deab

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
4c53e5f54abd1c00d500f7af76d0c61f

SHA1
4db0c52c092323f799e0e6ee349fb2e8ce3c06b7

SHA256
270b07b1dcaecebe1ca1412f4d311e2a5911da3dfbd86ea4e6998651b6977fb8

SHA512
32df1e16e95b56bf97a886d0fa692bd0b935f1a4c228aa75481c48c8e58f9b5890bdff6264902d49016b138b2cd074db823542fc290576d4409c20b828337924

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
827ec1193632435b133ae1e5f1bb2500

SHA1
d9762f012753d8e27368c7a29e35eb8855da901f

SHA256
a9b5d53ede6cafc8c45d06598319ee3b6d3aee143da9d52fe94ecbd0d1bc273a

SHA512
58d38169822d3d96f346fead9bf58cf0164b2ac70d90a0aaae59f2ef0628a98688b6047573099bfb787136a55a004cb9238e5ea3699bbd75874a024c52eb7c66

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
f32d148d6b01af7f5a45c86e37418697

SHA1
c7cbb2f9aefed2b1d9980d45b62e542c06cb0fe1

SHA256
e737f4edf6229d009c36289f944409bb9a213d760471653855de117e16537e20

SHA512
a2756b1407c0695ede2730b97fd93b06a87970aa6e6274c6cf102588e187c1cfcf8e59146b505a8f339e230204d6d915c4d907eebc4d4a95dcb1be02b3e97f4e

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
62660d6e4b979b7a1821c50ae6c1e86e

SHA1
e422b834ca9901027e1f17012ff80c03a9e51082

SHA256
ce158e4fa31b51902132008fa9798540ca7a1a6e605fdecf47dfbfed7b88f64e

SHA512
ba64232d064b14759cf5a76373c99847e9089e540b35875f44a0eae53101f1d5b8d99b3741db601ed3591ca687c59e46f9f93b83aee574d084e2feb0cf394973

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
df160b77df88517b32719252e275cfc7

SHA1
80d639c38eecce0c69f48d6f54b7926754d9f681

SHA256
58365191561f495bab99b62c9ecefac5cfbfdbfbf33d306d46f1bedb2f3a866d

SHA512
df5f0f3838ec2ae73b5e49e96d434bfacba53c46ba8034955cb516e1a40150587c5992c8717e1cfb16d7093ee5c23172debb8ee3f5700c5a1ddb2ed7a030f64a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
e83fc36c00b245c5c382c72154f10a62

SHA1
3fa5b8ce47f0d97b13eeb06d78913d1a37c11bf8

SHA256
fef3dc3fcc50e9a3e77bef0ff9228ed9b49571e3874ddce12d0c787e1858fc46

SHA512
725d19cf480576171c94a2f5df8b7198b1e4b76582fd038cdcc0d1c689438f70ae3960ec96f2eacf8ca39b2d9ec47c6d64a51c898f9f81a6767a7a7f1d4129d1

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
fc2a24ad274edce02df844d58d4ed1cf

SHA1
6a1aaf8d4b92f12f6f7d0b8eea9353224e43f00a

SHA256
5c65f3598c0b77e300ca979389cc9903b32fee5f5ca038fcd1b9777b53349ca7

SHA512
8d1c2f8b1b1eb0e8b6981586bda2fae75e275300bff20c44b8c96898225d348ee71cf6baf6996fa744976291760760a50fdd8103476832c28e5be0249353a565

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
9e948123d1e3dbbf912b262ad2c9120a

SHA1
e12cf98d0030eac46124d7c112d48430c685497a

SHA256
36e4da52110a214aa4cc95f7003eaa9a07bd631ef698a016561d391a8c6d99a6

SHA512
e223cad9464e0c3ea756a122511cbc938fdad068aedf88a5a464c20926860e906fd5b03f2b96a957b42f50eb71d1fc26441e2e8d52a0cefb0dc190d78153e812

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
e0a01f7f7dea9ef34fa9b9013a1f0d72

SHA1
15db7b82a275042b30a5a3dc50bb490b24b6980e

SHA256
640815cb74cf5acd90cc0721fbd5ac65beae89c730e298542c79fc634d2269c4

SHA512
bfbe118830776bd09d2e3539f36abd2d927ea2d51a0f52ef0ca5f02921abfcc8860375a2ad5e451b6281f35beaa9c46c38100fdea44eafe82746cf69359fd901

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
603ef7f93f87b2de6cb925c59f75c089

SHA1
058d153901a2890a2159e2fc2cd32f08e2c8c616

SHA256
363e7e2a672becfbb57a04aad38071537b57fbab193b611f8f91bbf110945874

SHA512
118cb047bc1d93385ca5fecfefd10acc072cff7145822e23bf8afd441bdf55eaf5d44b789b6d60d53da0fc107d48c792f68a64f2e13e1a4c14274c24023b5399

Download Submit
memory/944-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/944-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1064-124-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/1064-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1064-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1064-33-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/1168-224-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1168-114-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1724-125-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1828-640-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1828-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1924-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1924-83-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1924-87-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/1924-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1924-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2684-636-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2684-190-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2720-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2720-602-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2988-179-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/2988-635-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/3024-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3024-642-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3044-20-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3044-97-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3044-19-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3044-11-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3144-238-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/3144-128-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/3176-98-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3176-89-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3232-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3232-165-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3232-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3232-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3368-563-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3368-263-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3368-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3576-131-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/3576-250-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/3652-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3924-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3924-637-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4460-38-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4460-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4460-46-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4460-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4460-44-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4476-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4476-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4476-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4604-6-0x0000000000CF0000-0x0000000000D57000-memory.dmp

Filesize
412KB

Download
memory/4604-343-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/4604-82-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/4604-1-0x0000000000CF0000-0x0000000000D57000-memory.dmp

Filesize
412KB

Download
memory/4604-0-0x0000000010000000-0x000000001025E000-memory.dmp

Filesize
2.4MB

Download
memory/4612-479-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/4612-154-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/5096-259-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/5096-641-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download