4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 04:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
Size

1.8MB
MD5

e4624afdf75339cfa287d600185a7d35
SHA1

f0eae72b671e8783b808314f5f0045e022014899
SHA256

4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb
SHA512

0a648793f9dca3c6b35c4226c350197e8f5e20e2ca3a7cfc03eb4a8b6314bb899adb34d5639d72b5ada84e2233b77fba0076a1055bf1ff61e4a91cc503891d6c
SSDEEP

49152:Px5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAEiLlBUKubZrX+ld:PvbjVkjjCAzJTiBSTZL+ld

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2208	alg.exe
4000	DiagnosticsHub.StandardCollector.Service.exe
4392	fxssvc.exe
3848	elevation_service.exe
2500	elevation_service.exe
1116	maintenanceservice.exe
3384	msdtc.exe
2284	OSE.EXE
4448	PerceptionSimulationService.exe
4440	perfhost.exe
3300	locator.exe
4372	SensorDataService.exe
2744	snmptrap.exe
400	spectrum.exe
3716	ssh-agent.exe
228	TieringEngineService.exe
4092	AgentService.exe
4176	vds.exe
216	vssvc.exe
2340	wbengine.exe
3900	WmiApSrv.exe
2720	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\System32\vds.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bbb757d8234f82a5.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99062\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8AF88020-77AD-4F36-932C-90EB553F7474}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_hu.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_ml.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_pl.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_en-GB.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_pt-BR.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_hi.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_mr.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_ro.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8AF88020-77AD-4F36-932C-90EB553F7474}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_lt.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3B92.tmp\goopdateres_sk.dll	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008995284eec99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4f72a4eec99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef83f64dec99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000da67164dec99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007596094eec99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000bb4e4eec99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000760d004eec99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4000	DiagnosticsHub.StandardCollector.Service.exe
4000	DiagnosticsHub.StandardCollector.Service.exe
4000	DiagnosticsHub.StandardCollector.Service.exe
4000	DiagnosticsHub.StandardCollector.Service.exe
4000	DiagnosticsHub.StandardCollector.Service.exe
4000	DiagnosticsHub.StandardCollector.Service.exe
4000	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4912	4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
Token: SeAuditPrivilege	4392	fxssvc.exe
Token: SeRestorePrivilege	228	TieringEngineService.exe
Token: SeManageVolumePrivilege	228	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4092	AgentService.exe
Token: SeBackupPrivilege	216	vssvc.exe
Token: SeRestorePrivilege	216	vssvc.exe
Token: SeAuditPrivilege	216	vssvc.exe
Token: SeBackupPrivilege	2340	wbengine.exe
Token: SeRestorePrivilege	2340	wbengine.exe
Token: SeSecurityPrivilege	2340	wbengine.exe
Token: 33	2720	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2720	SearchIndexer.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeDebugPrivilege	2208	alg.exe
Token: SeDebugPrivilege	4000	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 4428	2720	SearchIndexer.exe	114
PID 2720 wrote to memory of 4428	2720	SearchIndexer.exe	114
PID 2720 wrote to memory of 2052	2720	SearchIndexer.exe	115
PID 2720 wrote to memory of 2052	2720	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe
"C:\Users\Admin\AppData\Local\Temp\4107ffa881ea03b1cb94f9c4661c01507de5d90994a899643396b8522f9a97cb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4324

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3384

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4372

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2744

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3432

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3900

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4428
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e4ca03236fa4327e3e650540a7071b04

SHA1
18f3fe0ac8ed3eb7d9ae890428f978058fa0c07f

SHA256
c01d660cbd0bb8a1eaea3f2e43182ee76d1d10e78f44b1c62e6e546e10c694b6

SHA512
39a4e16869a94245bbf765c9c23a1a7174115eec7fb25aae4cb09c7a332a63c75a2073219638eed14618fbd4be76a7bd9d9962110524010bc9678ebce03258e6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
33b145c0155184ce559b62728be2af6e

SHA1
edffe67f30cf3d2b5cd41fd7c1e8717d42e96948

SHA256
35b07ba3cb53991b2c89926f6c759a01def17d8d7d30b48d09b2cb8f6cdd38bf

SHA512
36320fbaffc2a01bb1dad1babfc490e3c341cd3f000186b78b2313a32ab9db07da6b29459085de0d5ba7606603a52c0b9a3cb7813c8b55a15f8b4b0947787b0f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
85624d2af1a177fe98996544bd4e9c82

SHA1
8a005d75bfd788adae5c1509f66cb049ed74ec21

SHA256
6156757a5839e231a34814d472addf1c866d0f55b505439ded1ab816586e9c28

SHA512
021ddaf3994845ba1898f4ae2c4be4d90df4d4362899125f1a260fbb59b691512021b77ddd78429e729e6b9c7b0df6309bb609cf8f887e58f8ac4643e8532ba8

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fc13f8a937e1803cb27bf63e710e307b

SHA1
9c7d2111cb6980ed3e98d034d3af882506afcd62

SHA256
43088ef398936b2e2e0a8d59c99976275fb71973b2edffa7654d9c8b6ec874aa

SHA512
62516a58cfe20ea45a2f0f135ad4e7335c2a031a7d3b32fd1790d8eade8770390bb716389d45614abf34df5604b491cb06b7b7c81818d607335ce86f48674fa8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a902661563970bf1e7bee57540408f1d

SHA1
4ffb186231bfa7e976abda19dc4bcf5cb62ae914

SHA256
0878e7e91e41c2e6d4cc0a40e4631029e1c0b94085113f97bbb002e1584b2d36

SHA512
d42905bf57cb05db105ce30d18556d74b19fd40a749e8253a6a2fffc2f4a37a1683b46c6a6619dc907c32a4ed0ad0a645b024f6d01bd72a24e4d74b41e476848

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
67dea675267091df211daa08196f61c5

SHA1
f3b001ec5aa25bb24561fc71b96ee968d8d732ea

SHA256
c558ece2a67de2854349e3986cfbdf012dfa0f5e35b7904fe7c77f1aa54b6967

SHA512
f3e6ed535c0ba46b6ad63083da967aa92ffaca121c2c8782525b161f59a19b66d6954e9074dace2e1011e6a8d175e655d85662e171951c3737c863728f141d8b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
56d6c35874699b95dfb904700b49cea8

SHA1
c68eee2ce95c9cad9c726d2a77e9cfc89c8addf2

SHA256
51ecc19c1bab7958b622768dd0576c2af0c9dd92ba3a2d14f13cb07c47393bea

SHA512
cf4bf3ad377e1080e1de19af5d31adb1f5f1f562388a7de1685c19bb5bb33d613c9a1a06326dc20488faed4342198ba8027f4f0b8224e309bdfebcd0077cd3ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
de726ffa9ec1197f77df62d77e383416

SHA1
8130bd2f5d958d7dcf22bd117a71324c23ca19e5

SHA256
4b701a10489a5f920b5e4e01c7802e40dc244752b7afc5913a82b234e9a30aaa

SHA512
12bc05d4ad0b4a6af26aa25d7e2c389a3b78d45f574d592e47705327435fc59c2f738e06b6cc47a8b4cac1adf380bb4179fa5aceb3b6642fbd1ec02072f06c2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
df590c20681e80ef148ff7aa0d41cd44

SHA1
921ea5dcb78c8b502f79e12312dd94aff63b85ff

SHA256
1091e482f7989bdac09c058af8bc24884cb35a0ade2e06f272ef025d0d1455fa

SHA512
3829e7cadaa4f57e7ee453a5e6b725d03cbc47f8c99f728a6382d8efa1aa0a48215028770994cd30dab222d29333ed98f31dee048942292d4bf1c53301b80a4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f89613629eb76c6a624a11953ea8b327

SHA1
b9da19cdee2dee9f6a55165fe5a6b608a14061c3

SHA256
6779f25d3a29cbce1227d2ac84f277c9e00f547131dee3a2c426ffeac49ffd69

SHA512
9caccbb4084db43327c5c409e9c02b68e279162b4d3951acdcc0260476c1ef8c71d30de5e56b7375830e44820a11ca5b072f404692094a50af75586c8b4c92a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d54181c440703f855841c34c5ce3d6b9

SHA1
7d27c16c21e825a18a5c652d1048dc2e1ed7b9a1

SHA256
24020961a8b78d980fbad3aa2f7bb22f4e7f9a56418ffc443499a5064d473bcf

SHA512
913c58d46b604b212c3dd0b78ff10857fd994794d5e24ec2397b82b2f8477503f410f0029088e2867cc74e96f6e6abaae235faec3609758cb434881eb41b7799

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fe22e306c1d1fbd1bc7b43ad3bd40476

SHA1
4da6e02bf80d5dc76f23d706f835195e5e437aa3

SHA256
8847b1b590275dd8304604e0c9cf7414621ce7cfc08058a2b08948c749704c81

SHA512
2a1c7e382729d52e5299ee02ccf97c7517213b67e0c853254fc9a14fe3d2c5c8882bcf861a73b87ddc6c23751f99c306528eef9d5fbec4c085bbb410e73ff12c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
24c5ce9d01091c2b692e03e635e37e84

SHA1
a0b28c76eb8ef2d8245a1e06b77c91657d21799d

SHA256
1cd39c78b323e8bdbd2e1eca2817b0dcedb9c0be4a96a06d7b49c0b4f066d2e4

SHA512
b9894ae4875816d9f7c0805d06fcc30634dba7fff3ec8b781ea523398b30ef8f346b9db29da83c2fb3db60ea76808e034548b61c6173f396375de039947007a8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
ef67bd6d8fe3798f335987f3f07b8acf

SHA1
7d0b309a2dd60076e8a7f87be775b421de85d2c7

SHA256
cab665a0d8ff65cb61e30ce6749445e6c138e891420406a1c0f022f9c144d1a8

SHA512
0eb6390bf3464cae7fd97948b5017b858c49b15178032bac8538600982f1009cf038ecdcde8c632b4ccd10cc8705b6b6e4c95a4376f51d7404ca8b8b3d506c61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f7be26ec5459f53ecc328cea6145009c

SHA1
a1e7f81e902849f142e4980acd1ad3bb99e0571d

SHA256
88882dcdeeb02dd1e25b107b17c1b8f7b9d862a08e74791b9626b236d0ff3dce

SHA512
27a249d103696531dbe6f3b08f04b366f705f850e9c7af53b2c75b6012f3ad3c1b9f8706061bc30ed581c473f6ff5e51f76d28e67e104b62d619867b76f07fca

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
62d0bdfb57ea02b16e9e007baa95e1c5

SHA1
da7ffb4a937f66fe2e9325cb545988ffc31052c8

SHA256
4d817be9e19672ae2541643d4502ea7dc4df825f1fef1c71f06fe6b8f13ae0c5

SHA512
62de87aa62fa3a6e3717238053fdcbec89611dad09947e82cba72bc9e7eca5d96db4b7e25d7babdec4a41de75463fe42140024c682cfb92317e98700a4eb2994

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ec12eb427e5b555d24392f2d2d1eef79

SHA1
c19e703bc3b91dd9b6ccc52dc1a8309a071a9089

SHA256
de41a703a61a54d69e514e0c4f470af26366503b43523ee603c412aa65728658

SHA512
14b0f0ec1e2a5566421f88c43df13ddc28846bc1044c94b717ac4928e9c7aa862fcbc754dfda4b4cdc0279ca4c4d5ec1a92038e75d36ec908210dd8e61e31ee0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
f77c16f1051b6a3484c21865bc0b6c4c

SHA1
efb6935e935f020bf073b4ee0cb7cdcab1636920

SHA256
dd318b833ba21cd59deb99d9d1fa00fedb2978fafcc1836bda76f9d2c4b028ba

SHA512
e94f0595c13883ee4a3db1e0e6b13cc6a6f2c75ad0a584434e6be13d0e411ebdb8eadd230e4754a81c12df45461115223a04110c1672433e72bd0928f7220216

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
b4d8eaab4780e0a61250c75be0544f39

SHA1
9a81c19b3ff1a4d0d2f614dafa08aa789b3fc904

SHA256
c7ee0398c10052c4f1f114934388766ed52d6c42af4c03fe595d7444d012db01

SHA512
22c3003ceea311ba4b0fe38473775aef82e85e8d0ea128e90388fbc56e5b1bb3cf64532fcfbc7dac16932bfbf9082eff2d4d3e957284e0ab1148d535ef592f8a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
846ea67004866498152c443f28f8c1e6

SHA1
d9958c74ad610a551f49638d07b74e4278dc4248

SHA256
a5c7f30957a5500385c3b01b7487319f1c451197f9bb0833b0007e935d4ea503

SHA512
45a8d965b31673f413ceef80d2571055cda358706017f0fe6ff676844c813c53e170b27f64737079caebc359932b8608862b046d98b02c8dbb14b82d9fbff22a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9363354f165e8fc8d7bcd862674c57a1

SHA1
af7e0824168c3ce7cc03bfe25cdc236ad18ae9ae

SHA256
d989eafc86b99b0b775ac112feeaded2b7792ce54a2733bd854cdab497f28546

SHA512
49aabb5c38f8654f6ae129eb1e59382e231ffa8c2806316e833100b714f529234561de3b37c40acaa7d84127cfb029507a3455f13746a2a7343a5d7a3bf9cfe2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9a622dc925c30019f3bbbca849e15ba8

SHA1
c5e1fb4c86294fa83b39fe79123c422f08107b67

SHA256
de5068ffbf95ca94107b493e61c811aed6e8eee874bd6e7e33cf4ff16ef40a71

SHA512
80ee94adda101f00969eef83dcbd7c019cb0150e30742dea2e295e7c5b5ba28abcfe9b8f805344adb115cb4f7913cbfbfbfa78bbe410a0ef49b2104e24aeae62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
020337dad257640372705d7a2f5c78ac

SHA1
f5a94375b4368b158a71d712d8bbf91202a1907a

SHA256
17783a6175cd9d6f372643c9b06ffc7a2e2598fc56eb4dda7aaf1ff8910f2849

SHA512
ec709a52dbe1b8423590b98e48f54dd53d16624c526485fb80f17b9e404b0d82f3b542ef15831eeb89ba59979bdaa5e5c361d46a37ebeb046877c332cf08005a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
bfe45f52bd17cf0553232c57d8167d2e

SHA1
2b8f04aeb702ae5004866c1526001af558059c1b

SHA256
4916f8b21597bfeffea94764d7865a20e6b276a9802a2e7233b43b393de47177

SHA512
95b08a4443d5cdf0c9042511a9e9967fef9c5ea338bafa46beba6b77437ae2a83f67909b8306fd7df74010057c00ae938e2b23ac231b51301068748fe7d9136b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b8fa43424100e9f0ed0d6c5d5080e504

SHA1
c3ee2ab281867e9172884e7038affa7d44c1a002

SHA256
290965163be0144efa76cf4467773140a95341fafe35e4d321591ed78a617888

SHA512
5afd30fc36e02591e796f57f11d06b20f9cbb1fde7c2e0ca0fac5b8fc97078ecc0a254e6e174dbb3d2b44e4e428a1cedd5357a21a042b03917834f8527b30db1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d20ad414f19b3e3edf6efa6dd40f1bbd

SHA1
36ecee3aeac462e761eb748c219352497c8ad3cc

SHA256
a9430f4b859161832cc817ca6d443666d3bf8dd8269bb4414361bdd439fd223f

SHA512
c724fb270f00856c32a2c9dad47c502992e4866a2540e5541e34bd89daebc85befa24d756d7e9d68e6cf4729479b4a556e727ce928e1258d7096a3b68d19c405

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
947558e7924698ffb2d419e2f73d0653

SHA1
dba100e93a021b9767283e30b95bf4c2f3099b54

SHA256
934c033cf197c6354fcad3561165ca8ee978f8d8410e23da352377cd76cd2618

SHA512
346b7986235e3690f5f53923d89413da8cadd858c53eb163ab62b60f0c6e39e27a50b0e62632fd53f56d35e7a9b6ad5ce8cd7943040c604d2c93e22552fcc4e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e56597ed6382cc78a965459d2fb3bcf1

SHA1
1e3023c7a5ea4156e9925aff0d8577f00632f7ba

SHA256
8fd6d248148c10105cb1b52f03d8ca6ce5247a226a5f58e607f8d05ec9fd5c91

SHA512
a8080ac2f7a013696163b2c7c0faa2bd4988f10610cc3345c82a68632056b51c613846d46a9bd12b0e97c146aeaa29a4af8a966258659096bb5b1e7ad18bfd24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
d581a5ccfee43e4eb48c4f72f0a2d0a3

SHA1
264333c7eee2feb7b3d6cdedb28d550d6a1ae54b

SHA256
8bc8b3408f9efab4b4a225cac306f4accba984829a15353766a1381c9b54ef89

SHA512
2be6d35a5f561962caf75c4d1e58586b9c2d58437c9a669a7d20d8825caf0f31697c13f0025d46e35064d91981c765ae48453c69c4b6f14443fcc4b4d65badbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
5ccada14811ce7776519cdb956bac5d7

SHA1
9b95944b0916cbbea592bd10a364ee938a281f74

SHA256
f350cadc10a57d3ca7c1c97c1cf9133d7fe3049e4f77e058d4406f10b071f622

SHA512
832fad3c2b1dd6cb97e670639a6ae8b896463ee3e821e56c1e9280afff94de96d7fc6858855f5af1f69a41c253e5e395088c8df0a6c4df36b7e9fd7557a0daf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
5689c482cae6d4bd55a88cb0c11c7d89

SHA1
e50400f5b2f065274a3a7b3b7c3fbfa969eb1733

SHA256
f1b2dec1a69f901acd1d5838c1a282b318037de570a5ad57f525f728a859a8ca

SHA512
0ec209fc2030122af429c134cbfb65eaa2ff78ec8a05f9f197e5374bb23e191502697f6b251d0716e74bdda01c7a031aa0d482161dfa8f9d21daa260cd82a969

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
18d550f538690eddc11796ede3046207

SHA1
1d838d400cb887707ae06591094b2ee28b59d248

SHA256
5ff3c7c7d2ebec5c11b30bb91fbd180cb89ab4021c20bb7951536ad4e47a13f9

SHA512
f72feef117088c2b894517fe9edd863b72d844d3e7b101518c17224b1c5dd19855f946f3ab58735a1d202a5961a14d403574d3e89edd8f761ad5e1f3286515a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3de12af11ad45c25f60ff6a8ac24bef1

SHA1
a447a28b4e75120ecee8e3b48eb5912a8c6c7094

SHA256
2860a40b1c3d2dd21dbe33d63f5da7f98fe73b0e389327488fa3c293aadc07d5

SHA512
44e19196beebd8de31380a8c6cf1aa2edb95685ea0b13f89fea71da6bb6b74d56cc20536e6f9aee79d91e6a6211971a78a5e4c7e9db4c17cbce8889101ea0de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
fb12da0f43b05ba70af75782b40eef2f

SHA1
4552ea2f133c684918faeca0c5c5512a7ad7af2f

SHA256
2408c59cfccdfe990180cc29fb63d0073b868c98c233265954b9a43101e07fa4

SHA512
f13f267177f20b97a11ea22365121f93b5c6d290e47dfb21de1d1554850831c2d65bb999573ab22326621bb757551a457dd21c6127aa5298a6c43a98cd3e80be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
db03b334bd385e3ed0ca3b3de0a68e05

SHA1
6de720beecf39b46f2184e5b7d9f07b64efde5df

SHA256
8a4e0169b79e6c72c14cb469eca967fb2435d750980772702e774ea7d8cf0b69

SHA512
b871f38d8cd28f01b112a82f875e1d8fe842796f7e7b25e211a7c0196d78eb27f6c5058be5734130718c0d67319b30ab7ebb22405a6bad7f983f1c33605bbd58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
9f2d1e805f9352893776865228b2a432

SHA1
eb1489e1a3764eeaece2915e8487047b210aa4eb

SHA256
2504e5dc62bdccd5d2250091185d21ebd47ad2a940641b94f684ee5f207df4b6

SHA512
18028df91a7776e9882800d7c079e59d4926ef65a2e1e36f2e2ffaba5ee9a80f659bbbc158024985b4e7acaed3bca1b1f33f999a7fb8f8fe5a3dbb66dac9db7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
cbedf658d141d07f06845142d48b4e4e

SHA1
3359f3e85fcfb378e9f90aa484c01a6784acd621

SHA256
20aa6e17def568c4fb41701899192e1bbea75f7997250e3ca55a03b4ed5d14ba

SHA512
3cfb7ee9fb8785f66f01ac1bb146f2988183bcee4aa8929d60d8b30df90efa91dd271b0864b4b2fcb512abd1f41fee4b17df4908c10c2c73080b5b725e9e1107

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ebffa3d81eb1b397cbc8372da08107eb

SHA1
bc6460d3545e14352ddf82776b2c7a71d90b530c

SHA256
9d6399c1da7740778d84eff690f914165118c1181e9ab85aa039cd06df0b09c4

SHA512
9f0b17f639db145d35345d83720452257619cca77cf53fda03541eea9e16093d660ce6d54fe7e034d21354a14d00a00e6936e05dc9766b83f306661668da1fb3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6376a3d13b33d18e0e6965bef6d5672d

SHA1
8c0c2d9cfe2f0b191efb1a274788eae8c57c6b8c

SHA256
4481872c8ef16c45e8c0aa9d797c8e3d92702feebbebd9ff6e48adf6a1a796cf

SHA512
dea039c2f556a2c74b266c70c2573ab0140eeab660d74e5f4c9b2203cdb4e8559f71b6165fd5cccd871cbbff63f296b8d337e3774d79816f38aaa8abe354f673

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
47e80c4620ebb61321429bdb1579a363

SHA1
736b021cf1a96ac15e2b17a27312bf55f9be767d

SHA256
3d63909d27d4741d338dd4cb2a9f8e092139e9a49e9e368b5ef77ceaf287c580

SHA512
8c83e3af4a6a74c494981758d02bf5162d819364bf9e47885c74defa2f1436f562739a080369dfe2f38d923cc394ee91f0c69d4eb027750bd865bf3f01311a33

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7e0d40fbc59d11177b197852cd07b5c2

SHA1
1ec19f4fc7fd01834da117752b2c669b6dde18e7

SHA256
b0890e24a8fa0bb989214c9caa710e88f0f720a25321b77b61e49111bf5dfe76

SHA512
8683355e671017f004cbe03cdf6e4bdf80d2be941821038ce6518dbc5c15a0bc253a52fc165ace42bd42de2a339532d496f601d142b06d9d1c32a0b5125103a1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
36627a752ef782514ea7ce682a05a27c

SHA1
b6f1755d66016c7dbd78c9a6493bc1eb6ef2b913

SHA256
a2f9d667a0f0798297ccdd15c1a259a3e3c93e870a9443687d378f81f85728a4

SHA512
c2d5155d523ef9c81f0b72efae24fc517af0f4a132d8ab634cb3351628c89a822a87f334da6cd4dc90fbbb8d5798ff752e4942fb6d79349c2ce7bbb80712bbbd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6d233b7eefb7d4d278158f168c9de87e

SHA1
0abac68a85c9ffd5d6cefbb35d715ea87dccba52

SHA256
9bf21130a58c048751ddbd712e6681ba454d8146bcc4ad14712f0484578481b2

SHA512
af25ad0099c87dc5951e43725f7e1ea8ebcd7493d557f24c90839d613660551659cc3ec04af411d07c34e3ef2e4f3d5556b38442a1a8f83b07b90699e0dd2b45

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e55b0f6f5a453c75b85548cf94d04b07

SHA1
9af020bf05e4b185b309dd7425acc845b23e43eb

SHA256
2a69b0119e365a0f5cec8019df1dbf550588b4878865b291c2428ddb17872754

SHA512
81d7d300035c494757259e2dea31537d87bc0135418030c179cd85771c4a2141f2fc4b318ac3a0bdec240a66a559ce5eb318c4af88607c70b96fab9394368346

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cee119773dc77d50c525da7b3c8b8f50

SHA1
9888ba91e0939e376afe04fbedb7d78e26eeef54

SHA256
bcc7a86599028c0ae754eb43c27ee9647d589a3ffa8f81825f4f76cdf6ebf698

SHA512
7aac185d60797c1e82db89092f4ee4a353e32c9c8b25f83d46a355135b4d40a50084193860fcb7c2e2fff2f726722b5ffa4b4ba64731c8fe7f6129ccbe6eb1f1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
063731b52887f78aec04ac1f58131647

SHA1
de12ec68294f53d564af95d505975f200b2a56d0

SHA256
1d8cccfcad7a173829dfd5113f67f78c95eae5db78a06f87e9e0262b92fca979

SHA512
3774e9e1b006ab7b431d4810c991788d3e92a83408ef05834d1d51c8fd01fb71e244a172fbd51c006be05e9e0a3fb9ec94c1c29c5d1ccc5106cb7e908f836f85

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3dd585373255b17a8bae44125bc32818

SHA1
dbc3687fe277403c94f8f960e174e67b4305a6be

SHA256
f329ebea252dc47c99d026fae234c775a744f980517dce56fa908bc337bee48a

SHA512
d855e977dd8da97a17abb39e8ceb00aec77c75292137824a3218ad72e41330dc2997710ef6be6096ac44dc07b8cc430e7ba84946eed72fe4d7e504d8e37c5f36

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8ecba8d56bf5841e6940da930d3ea02f

SHA1
c0c9ee2f1de0f0e922e4f47ad51064c977df4280

SHA256
6ca177c2c0f3867f698c298bae73da7fe1fdef96f0b281339f848ddfe358a974

SHA512
26b044afe8b35ce491931ad7eef7c484a373d362f0b8e64d42c6ad09007e92497e8cafe4017fa7b2e34063570846a655748e8887e3e61e79711539f86f7f0411

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
473ee9aa2af8b542864d8977ca8b1c44

SHA1
666a2bb9de0157349b69a4a94aee98e5c7b1af9a

SHA256
555195140bcf72b8282474a2868eb8c931698ecc27f63846764e0e78536d65a3

SHA512
7830b371dff2d66f4d2bb3ed5fdd0cf384fbfde439084c2985a8ca1a3ca4c826fa7633a0e6e98f70387f41307ae0374b78f3fe7204c0ce5e27476cf0b2293db8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8546856ca24a735c8ab208b910b4de29

SHA1
e9a2780a53c5437ae44f121023d4ac8f794b5dc5

SHA256
6ed29fd9b6364a631f810839e1af2769fffe0ae06157f6ac5b5bee5eec863ea7

SHA512
ecdf1e08d0bd52a9a0ca76c80030acbbdbf578d8507271a2c507740e43da834f37397937d9d1844b26b1d17c7c807aa8c6a093337f4ddad1f1067affc4eb4335

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2399d0397d5ac4994c1f1bae8c049119

SHA1
8237d7a304502df8d0d662f7a1fad0d90e1b9f7b

SHA256
affa3c0d4a05fb807b851061af1999b512e8c0014af17d8388aba9ed07adfc5a

SHA512
c1ddc4ddd5a8bc2d90e59b682f29bec950181acc01e7c488445a5ba27ac9396dbb3149d520b5b05d186d83bb6799678480f6bcf19e5276539cc3232c3c578d3e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
f8eb6a8584b3ff6beaff982c0ffd3707

SHA1
fc503196b042d052fb18e3eaba95649c41b2f53c

SHA256
318434ea5218e4fa9f28d5b0b06ef2217760a3151eefc7e1397ebdbfe88517b4

SHA512
bc64fee1bfd8fcce8070712e3288cd798994ee6f4c749c11917353929c0926a3c9df71ab1b8a93bde1b2748a1c08bbd710e950d59d128b7fe57573c31fdf76c2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5ed7a3c0d5ed903e16855b6cd4f2b6e9

SHA1
22d2cdfca22568ebe973a182f5d1cc1ca5cefab6

SHA256
4aa88b1f33f9dcf38d6c7110ef6d9de7abf3552b56e2a933aa44a78907c24aae

SHA512
f87ba903b863a8c2af6c6d4decde0fd9ca957cff1c5aa5398ee34e30fb12344ee8aa59d10eea9acba4f2474bc24f2c26074f2710b3797976f62b1d6117e80e40

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
873804d5eb932bb4f58cbf0833c44d0a

SHA1
841108bc2f7295914764a2b867184f86619e701d

SHA256
13849a59d1923a7676cd9866999120fe6fd138b5895e87f8eae74e6b9adbe4bd

SHA512
f157f0f87ffd9eabae05b77ad511b574d1bc7c04d32fb63c34309cf6dc8ddd4b848cebce7e119de0003ae9792b9f6a3326512105e7937b9f8b712c59bd46b8dd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3ef854a66fa9ecd09fb84d70de135966

SHA1
01d4cb88bd8291ee37fc5cba1a819c734f1e8a82

SHA256
e8d4dff13b3d412ab23f3fe34815a30af52c91fc47764caa1ce3f8c0fa19d9c1

SHA512
050bf49fc082d9f127e63601940fd087b92d93f443a81239b20f184742645be22b2f74cdd0b702eb898ec64fe3fe3bde65e875cc8bef11fe15f8ed67a3dcee77

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
bebba155c02403e9bebd66c34d0fd21e

SHA1
29b62050f0c3789f900a1b014229df9dc6c4394b

SHA256
127b2865298555497ca8c74eb9a4bbabf2eb8234e40ef5d91eb160dcd6903d7d

SHA512
14c35c8981cdc63f8b13bb12b8abbe1890f69f1c9e8e7c77fc76529488cee4edc877a9ed0765f6aa89100e28f38e5b479a5f3c0849d094fd3a88fa7b93d0e420

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
11118e1bde5d87b9ab143b69957c33b1

SHA1
fcd3f93d806dad4b82a69d518f6d1fd2505e9a2d

SHA256
77b518b63aa9b7a999664d8f61ff0dd0a1dd660dfb067d36c477b4402615457b

SHA512
2c07ec67ccd80bc17de0f66cb6619873854f7c47f12b9cef5b279f99943cb1f69566e4ed519c0afea4729f5d665a379bc89383f2bac0c7b730033313183ed0c6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fa1bec54016ae8852dca4642a3bb0f7b

SHA1
7ca16f5038db00b07f48f20e570280540128990f

SHA256
46b609adefc68362aac7f91f0828a9ff4247d4b96ddfe1ea79dd6dc8714f6a77

SHA512
63ca0e28f77e836a11f356bdcf575deaa8b7f651d33a4bdc933f054ef40b51a9af82de85c50c3ea2ec9f46aff78a0a26ec5024393d6e87e3c2053a786476bac3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d05ff47e6286640781ed97e2008ac7e9

SHA1
64521eb9282c9cc588e341f6eface432d7bcdad4

SHA256
2229cc5ef34f05add76d8c02be946af028d8916b953eb194ab269dd3ab5551cd

SHA512
6e6ad9139c7332f23b3777b9f21d5970a0084bcd7fc6054467ef0d77ad60fbd06f183bc5fdc5248820b6ab24056ac9e0df839af4d771c09333bb9e9c2dd6635b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e321e673e66a8c89379929512bbb50f6

SHA1
2ec746d5c576b773e1c3d41ec71be233caa7c58c

SHA256
e2ddfee148d28e89f31f870f9bf1b5363a8942b37fc7545b20be47ec53d928f9

SHA512
536f95d7ce6ccfdf7dcc241d4edf5e9a176e028d0893e3b71f9146cb8a5c63b4a8ead6b789439e7fa734d490c17667f7627852d55ec34e4aa9594ed19e7a99e1

Download Submit
memory/216-741-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/216-298-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/228-267-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/228-737-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/400-735-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/400-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1116-157-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1116-158-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1116-150-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1116-152-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1116-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2208-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2208-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2208-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2208-140-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2284-174-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2284-285-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2340-310-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2340-742-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2500-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2500-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2500-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2500-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2720-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2720-744-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2744-232-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2744-649-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3300-208-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3300-321-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3384-270-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3384-167-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3384-159-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3716-254-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3716-736-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3848-122-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3848-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3848-127-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3848-120-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3900-743-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3900-322-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4000-196-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4000-102-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/4000-100-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4092-280-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4092-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4176-738-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4176-294-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4372-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-684-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4392-114-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4392-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4392-116-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4392-105-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4392-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4440-197-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4440-309-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4448-193-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4448-297-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4912-497-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4912-0-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download
memory/4912-5-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4912-139-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4912-8-0x0000000002320000-0x0000000002387000-memory.dmp

Filesize
412KB

Download