77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
Size

1.8MB
MD5

d8f662ae15aa17dbd23c8bada0c08033
SHA1

e5e15420f9667583d72639a118a2e248d2403486
SHA256

77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0
SHA512

53ead721cc5227464d3925cd548809b8d4d1bbc390e0807eb0e5f70adb8d16db1d90b99a71c986e9d4054b1727fa09d9bb4028e0718c289a6a3b8e53e7a45633
SSDEEP

49152:kKJ0WR7AFPyyiSruXKpk3WFDL9zxnSq/i3da1YS6ozB:kKlBAFPydSS6W6X9lnV/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2216	alg.exe
2928	DiagnosticsHub.StandardCollector.Service.exe
668	fxssvc.exe
1364	elevation_service.exe
2924	elevation_service.exe
1488	maintenanceservice.exe
1008	msdtc.exe
1804	OSE.EXE
3712	PerceptionSimulationService.exe
3512	perfhost.exe
3928	locator.exe
4744	SensorDataService.exe
4276	snmptrap.exe
1864	spectrum.exe
836	ssh-agent.exe
4840	TieringEngineService.exe
3964	AgentService.exe
1652	vds.exe
628	vssvc.exe
3356	wbengine.exe
552	WmiApSrv.exe
2704	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d1a4f41992be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\locator.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\System32\vds.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\System32\msdtc.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D18.tmp\goopdateres_am.dll	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D18.tmp\goopdateres_id.dll	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D18.tmp\GoogleUpdateBroker.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D18.tmp\goopdateres_tr.dll	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3D18.tmp\goopdateres_et.dll	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e73c1a02ef9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cc34202ef9cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012eb4902ef9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087a2bf01ef9cda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045632102ef9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b404c201ef9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9446001ef9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f1a5c03ef9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d78f7103ef9cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006268a501ef9cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2928	DiagnosticsHub.StandardCollector.Service.exe
2928	DiagnosticsHub.StandardCollector.Service.exe
2928	DiagnosticsHub.StandardCollector.Service.exe
2928	DiagnosticsHub.StandardCollector.Service.exe
2928	DiagnosticsHub.StandardCollector.Service.exe
2928	DiagnosticsHub.StandardCollector.Service.exe
2928	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4860	77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
Token: SeAuditPrivilege	668	fxssvc.exe
Token: SeRestorePrivilege	4840	TieringEngineService.exe
Token: SeManageVolumePrivilege	4840	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3964	AgentService.exe
Token: SeBackupPrivilege	628	vssvc.exe
Token: SeRestorePrivilege	628	vssvc.exe
Token: SeAuditPrivilege	628	vssvc.exe
Token: SeBackupPrivilege	3356	wbengine.exe
Token: SeRestorePrivilege	3356	wbengine.exe
Token: SeSecurityPrivilege	3356	wbengine.exe
Token: 33	2704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeDebugPrivilege	2216	alg.exe
Token: SeDebugPrivilege	2216	alg.exe
Token: SeDebugPrivilege	2216	alg.exe
Token: SeDebugPrivilege	2928	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 4948	2704	SearchIndexer.exe	111
PID 2704 wrote to memory of 4948	2704	SearchIndexer.exe	111
PID 2704 wrote to memory of 4296	2704	SearchIndexer.exe	112
PID 2704 wrote to memory of 4296	2704	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe
"C:\Users\Admin\AppData\Local\Temp\77fb5f74fa3e65a72f60a78cd095c746f4665da270faa269a030e805b94c19d0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4860

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1972

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1008

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1804

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3928

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4744

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1864

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3896

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4948
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4d4f345d7ab23d304be6fc8e3315a4ba

SHA1
5df433f4a0cc962292766a70ad6cdf36e2d6ceec

SHA256
c4655384207e9337fba25177a0ea8a7d0b33f1fd65904f730244f59da23f2733

SHA512
e941252d3adbbc9e9ba07b15d602af84a711e677ab8394310afc5f2f239150687cc1b00b8d21cb68e2a8f9cd17d330cdbbf10e8ce5c6ceb97ca7fb23b8d93328

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
7d4c82537c16367614824acb903acbc6

SHA1
27bb99ee6419680c01f40c770e3feebf86e10845

SHA256
817dd9e8fa1d85587ece2ed200d75b735aec339f34e8c9cbd69e8bb7476111b1

SHA512
d558944235f54936e670918820c713a8164c235778212219e1d3a26da898da03c0a1db048ba20a03ed793b24ab96b33220848d9195a9b553d9a6ddf3e3a5c6b7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
477c54c9df2c38d88d7a6fc2488d7323

SHA1
ff0b39bb9bab42f2ec4f451a8b786453004227bf

SHA256
8b0c63c1585bf09ada82c6dc250c299ac251924c5f51bfb74a9ca401ed6d9927

SHA512
3149b272600a922cdadb85d490622ecf6e53e547ea35d3d2d7f95643aa8ce0eb5b6b4ef9b2c75e71af32a7f9c61a36e07e40adae1626f834b12175ff010c5ca0

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2ab71e17e3283e2b5101e6e06cae058f

SHA1
420acaef6c165200975b9b181fcf2237933e8d75

SHA256
486ae4c1aa46c52e08981b3441ba8f9b5b5222b53b464f7c23e6622d498f65e0

SHA512
89e054142c9d1dcf7d1ae8429798c346254933377a0303fbf8a713a9cfb5b1799715e965b9969fddf2bde6db6afd46ce9e5adf11883edc6c4590dc4f4bdced5e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
da056ff6714472c3503ead2629a3be07

SHA1
df3ab19d1635ff7c855865d401888a8014f54130

SHA256
a88b722f857e1c2e449660858a78f352f2cca086d19acfa925b381474d62c694

SHA512
c3ef324be808160b6f25f8785300bf73374b9af8859d59bef903d8c262f8f208d778285217761d74b35fe7250eb1e41aaaca308bebd18b75843e30ccedb5dffe

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
8e64b2f8814ab6e0a63a96abc1735123

SHA1
46d4e6a50e7068a439495bd4d25225c263bd219c

SHA256
8705d90edc90c68182466a6705f9bfdeb63cff2b73430504dc27cfb82af1e1e3

SHA512
fe78ae17b1c85ebc7338f99b33f0da077554ecb2a2066f0f216a6d8fcd91c1ec50bb1c764c0ee5501cd9231c0475532aa2559ddf5342a8a4263518d48a66fcfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
cd100cc308f719282571e4cda31fcbd8

SHA1
3ece659e41d522cbbf67a5e16d4f35c802fcec18

SHA256
9c330ec170eadcc8e8d1d062e93204bf3179ad238801b558c114266ee9696754

SHA512
342d014ccd7c0971ec183e1037a7d2744fa4c88ea431bb9e9c7a8b93b81867ac341e87f99e0af1de4b565d6ffcd1a67a258265f4506463dc46a23cf0408a54c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1ba73a365dcb63c095f15beb0515d470

SHA1
30fd6207b167c1870a7538feb2ce4f326dfbd7a6

SHA256
5606c2edc82c0302f0496a67cddb309cd6a9a03e2839e585b2144c34c8f2941d

SHA512
b3fa69b5322d17851129aea67add20dd181ab0995c8ecec61f3bec71ac07ab6c08a453237ca8f8f16635164e20dfaabdbc4fa17fbc0148c8e27f39617398da35

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
3aa0d993e74e2dd1fb73c3b3766f33e2

SHA1
38cd46444f9aea516e32fbb1a3fa373c3ac68a30

SHA256
b848bb410c0b0d50631efc44abd448aab4d435dd34fe013b9bfb1ce3bec50c46

SHA512
67bbd22193ca24ba14e1523f4469887011d34082deb74409f4b9e3ed7dc74559f56cf573206732c6d650ab853ec8342804173c9988f6b117aecdd75cb219f604

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a14b7831d39f5c55477912eff236cad9

SHA1
bef1594d1aba3206695a2b4bcbd5c9eb79becd84

SHA256
3c4690aa727a6fdb38353f60cad7bca535535402051d732a35b4878f36c22421

SHA512
ad29d77ad7010b0295815ffdf461b7ebe0f0ef210924a4eecf3ed8274f2de7c7ffeff56c3c423c805634a65af4132b44addd5aca0e6c67fa9150d12a937febed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bdbf32463ff5bf6e5237d7b66ac3e6bd

SHA1
f8044cf6314185c375acbc89c400669ab324f60f

SHA256
792b99c65f3757b3df150900a7563f2dce743f8190c86e4a95da949da50f3881

SHA512
b1a22908e33426a20c6c6a7965dbfc68d67644c1a68c568605ddb577a24cd208499b8e22a94fa59467698b127f6d5a2c365cf640a1a80794441b272890a46a12

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
09d99a3b33d995c6f70f0960591c46ab

SHA1
b1e80ec7836da12840d1e20f1bec4c78628e58ad

SHA256
434f5f56d39ef0dda12eedca95d1480ff727d0c6ab82a359fd29b68602c3fb0e

SHA512
8d2e0dee43b4247524196c0c78041a3bd59190e45789f1fbb37753a0ba14ca7fd7e4aee3a9f2b972190f5dba5cca382f2a1a0a942ad3576e8540102b61a638b5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
b669ab0c824923b6c5dea771cab6f41c

SHA1
963e8367bf593620ccc74488b5b379036c12c2eb

SHA256
4e29c8c35401979e90f98b3c49759989cd6b366f93d1745bbe7470d4509dd782

SHA512
4f3eae98890836e00ce405b503f0164a3ddfc3502425bcd21119dd37d8870408e4260404c5979b9592c37094ac9a8812893d965022ae71a3c06fefc4a5af00c5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f6e085c34e45a39082328df42b98dea6

SHA1
e09b389441d68a1516dec829ad00aef48bc014f1

SHA256
e1baee67b871f2efe959195827bcd84e82a63ed0943b603d2e426c6049526eb3

SHA512
85145cce194da1eea539fe4abd19c2696d913efc75ebd1473c6aadc21ebb2f4f148bfe3a1bea2a5066ba629d7d85ee8860da0f0c6f0c9d7728009e18a431a25b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c103d0be3dd987d9df0a595f9dcdbaf2

SHA1
205635e6262f4aba1b591d414481b02b614e2947

SHA256
19b63fdfecd760d88927492c101e9102905a1584db89d9229b2fd82ca5175453

SHA512
475e79bf191b3778ba8b0bd9a5f8ca158e96a4eb96bc0fa3c6f0b8c6332a20b9daa7e3365128e54361b2a5f201d6bfbf0e517c7f22d5996168946decafa6a10d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
47745b4baeed3364a2c8c5dbb4323635

SHA1
69616ec5461dcc8f01e8b128e2e4a71a1d2de6cd

SHA256
7f00ee0abeec871cbec784aaf951e165307242aed3201ba437c213888c7b00d1

SHA512
71c944b42b80f4c34ad5f1c89bbd6258cb69edc7c82e6774a1c5cd117ce3414ea293192da446172fccb5cc6649e14d7efea883b4f52b540cf3c468201115a409

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3ef43db539e60e3d02701fdaada6b19c

SHA1
a6ef6b256fc0ec36c8849ce2f10ed85796ef54f3

SHA256
245c3a3fdb3810ec567d502ce8f811bd9a95e59ef442e51e48fc9010627188b8

SHA512
0439ad68edd2f4caa0fb45c327f7950d286aa277a54882de3e56411e11100a45813c0587a67ed18be6912aaca988740536cee09d93cff508243eb18725df52a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
a64d9cb1e1b30da06389e75973352c48

SHA1
49b2a15ce92c4f0881d421f83e02c0586c86477c

SHA256
d3934ec19efc5f40f70f60df4cb5aae61083034128e6ede3910de7302ae53553

SHA512
568fc984f09dd7857d70f6474dbfb87f35458c1dbf92920fab253d146f1ac564143bf0098405c6e376e5ffcc2554bbaf5e6a44268b51ff5af54105e0c4fdf60e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
59c91d2054eb29a9ac4f511c05463733

SHA1
2f0a40b01a1c7695686cf0d47ca5dfc32c25b519

SHA256
979fec8c2aea21d3a9d3208593b3a36bd6981055e40a793152ffd268cf22422a

SHA512
ab6224c26587766c35fda2818e814d22e8c135467d17c44634d9489642e379e75f82665ac5f1d2e17f4647d25497bd2d577ef89ab6a0121740eaba1597f0f031

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1363a7d0b77c8977760df927b4fb1418

SHA1
17afd26791a38e8e37ef0cdf38d0202713694417

SHA256
85645aa0b82e23e048ffd25957d5ca8f44b48daefc269e3afc70c8f373b4cf67

SHA512
d4175d47ef3c609a923fbedf2a6502e99125cbd5af434e1108ee8512df19afffa081562d4029f0b1ebf29966ffde6edb96080d8f743fdd5019be641913392580

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bee76e1c405c0d309de3352bc0d2d88d

SHA1
b5f893f9702decd0f5639cad07109493764299fb

SHA256
c1180dbc613f1efaa42b4132f4fb038df0433a63661cf463a98d71f26c6dfb8d

SHA512
24d0e9b1861e80fc3bea8a6da22442cdd891e24b75417169564beacbe1f9bd45f09e39df299936182d0e907a199dc62c557492f008159c331f2f5dd464bcab24

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a25bacab664a3ee6feb9fe39193363fb

SHA1
aee1d9196fbf162c84c58fd0ada6e78115c307ed

SHA256
f40d1a0f8d9c13907e4c385b45f24fc8c0c41e07d281ed37250a0a45c2aec4f1

SHA512
3db71b4f2f7af3e0a39418ee22e9aabbc4a7ad5507d433de5b61517710d18e0223819e22268ad9e4e4c0dabb070cb054a81d2c1a7e5ac3f8405e26c6dac6cfbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fa9ed9e9e4aa7ed64c4ace4f8bd28f54

SHA1
b2d31987ecdf737769b5f7ce20f11d8063e9cc1e

SHA256
3dd4f5aa9f1a4cb43619fa3d4ca01ab682737461aa510e4a4619354a112677e7

SHA512
bce1fc97a57f54a011625c03d7c7c624d825c464a31dec8f044a0739f35019ee3042d5ea2160beec5c9c9bbdf137151a9a3691d4ec2defb709cc076be0b4d947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
8ad702209351114ac69c956b5bee4fc7

SHA1
0b079c14af4b34d63fb38559cbc4ae800daff5a9

SHA256
aded40514634e2b1e6f3f313df0bfa6557d4789337a03711a5d5f4a9d4a4d061

SHA512
23920e2a764b2e11ea977e9364cf18ff766b1df912ea74d8d0a198344512599e63ceb977f6b57c2114b8bbb10f32389e4870e0876ee24c6dab55ef45aa883983

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8ffc21c95bb8012d7821d511784a1b4e

SHA1
961728f7fe3f7a4af9d3e3d9f5ab2b24d84d5d8b

SHA256
e5202bd0f89e4c7451a9902acad16208e7b4f576d872891f50901ebcd54fa465

SHA512
d8cb39d2e6bfcd98ed89f6bce39edd69bfc3e38d4455bc64565b7de2306d250108bbbb4045ce3befc05e0af392bc9c2f5c986febbed04ba6fe6a304330be5d5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5b8606a8728c060f0dd86da35f231505

SHA1
52ace5d4cd83c27dfa87dd84d4493f96303b7924

SHA256
d212cbffd67bdc9fe44d3f5f1dcd0ae5cd32fe22ad57dfc9d2e83765342b8bc8

SHA512
d24ef2d5364c45d2719b92069485ce59cfc35586438de9fba8e34265ac9d7de9f5b0ef4449de6b1391620c14c96eddd90e4d91cbfc3655578c9323daa4739a3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3de4bfff983bf5b95b4453b17d2b93be

SHA1
83eeaab63ee8dbd816ea933105e875301e81bece

SHA256
b7be4618e105be286db0ec38ad799f670f013c9e3d92bfffeb7cd4ad91d25566

SHA512
0ab9aeb9959f15053c076fa00bc308facc4783e2c7230c81f4d16c77dddfe97df53777bb1923455bd06da8f8a10feb34a10cbe133d6a4dc2e43f669fac3e4325

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
02b3fec822746845a7ec6eb25c9ccd8f

SHA1
802136e2d31fbfda0e0251f77a6b5f8f2f29f8bd

SHA256
65299f42911aad97366061e0869ae6002ccc2d246b91441f55e9d374c99b0b63

SHA512
8e58c8472ed620f3cfb5300c4e263a22ea7833d0bfae495bcadacf241d3a78cca5ee1fefbb0cb76d118caf750d36d7659850502ade14b3387da5285b41950397

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
aa007902f3791ac000cb18e5305a56e7

SHA1
4c4f6ac3128a45922e59fd5fb0a6c45e030738e5

SHA256
d8be6d88e19fe789df6f38de1105eb77176818c13792268167ae52ca6277d213

SHA512
454ff2813a2077d40a7d168211eb1699bd79957b7e4682f5dcc3a79a10f19cb8cf47bed0419964cc3de87f8d2b8ceadef5029fb1295d6c108afd97fb7b201649

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
02b3aa3cd99a7f74a9fb20ea068050ed

SHA1
8b62b244ff55317629c0542ae036ba418dc6c34b

SHA256
dcfb5c3e2e2ee6149e85234f610a58f4648ac9a10db93a36ee84ac49c008e4b3

SHA512
946150351c8c9afad73639bcc432c8e894bbce6a7091d6423f8b3b5b6a8e8dbf740c9273bb071856ff0ca81abd6c21199d81f10db7a28d203bd192e234c10362

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9bb770d3a385367603d86f17b0da4dba

SHA1
20695830a94940a92720152eb4bc410095922928

SHA256
e12767006ab742891b9e3ff535e33452968546197c9bd6a1e1e40ea5ba98b12d

SHA512
8eff792b1e78e111a0cf46ffd73d0c2130144c1ce23d7db52d96700256105fac15580bf253b61b80d3e8e10303ee76820f00c83c0f4139612a273a556e026486

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4c83328a4244c604a88397aba0152046

SHA1
9f1918e6fccf3b75989356e3224ae541be789112

SHA256
e7a1ebb3b22ba32bd7e9919437923ad1196b67c4cb9c1a376615a015b679cf9c

SHA512
7af8ff160666582e62e300d4024f18c79ac799d8220a6be2e63488f8e4bb70c9be9b3291c016d662a9775540338061156c5b68a27ce616279c9fc68d75888ed6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
02b7f36428f48303db6f5d9499d0a0c7

SHA1
3fa98d4f21477178ad71c790ebd0df1167e858ad

SHA256
e1e1d20d1fcf1d5e59ef8ecf6c0afe948ec0f1bb575cd0374e5477e10c0328d3

SHA512
a0d23f946896f7197fad5e8030a9dff647564953278a4841a1527eee4c2a8415fdc28a92575ce489beb98e8922700d307e092922156163b8c5237b4c51eeb86b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a9148bf4808b41f4606ce611197c309f

SHA1
fe48158e23a97b29b6c1e236c422f91fc5709118

SHA256
f752bbd1438e3902a385b28a5272450fd32a5e9c630065aefce09a61188d6bda

SHA512
08a8581b2bbdbd13d96c82e5cc25ee0a2c38ed284e0a010a9ac6ac200dac82e0c2cd5b47a7564bf8564b51088c3226d454a6c0058e9b69ae5fdc09febb883bba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3f2cdf4fdc4851a7f055267ab49f3e56

SHA1
c90729a7c9b57fee91fdfee1f0a342d4672c941c

SHA256
ee026be876cb97801a7660e33b1d11f121bc7af06be85ce82462bfb0c2c0938e

SHA512
491d7b52ef8d0fa41b142e864c36a31adb2cacb7dbbb309a0fc68732a5863e77a5730c3d9041d352d4c833cc505c3313b324b3ccf8042817e6b794a5c1e120f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
dbca324fd17d583435546920873c1000

SHA1
1cdb5597f1cbff7783d5df644bf7f7fdd79d3733

SHA256
e8cf271f197c06150615f81212d80ecfd93d4ce9f60da9ad26af50778febd259

SHA512
cc597a51513db2baaf0ed9a853e14e93fadf19aebfd15f40e606f05b7bd7cdd4c3ddc92ae44a55a25d7af6cccc0221e111a3fafe5cf09b4e528100484a2e3b02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
3e5ec8d04bea1eeba5acc630120d15c6

SHA1
7f1668f301da1e142aaabc9263e0ba8693c74f6e

SHA256
a7988df210f38508fb6259639011797d28a3c03113973b601c6914fe7cd24e6d

SHA512
69be614e23efd277c32611d759272aeaae4bb623a28b7c49896706466728b695e6f0c06890b15bd4102342afcc7ef60ab413ed621f14d60a464a84987979ebb2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2c740c6ed0ee6388462ffe1be1fa519f

SHA1
ab98b713a22312c5d5874eb946856cbf5099ccfd

SHA256
0690b25055938abe9fa041d3a48117eb52f2580a579de1ae154dbea9eef09781

SHA512
5e763d02c9fbc472fd40fc189c1cd5513ec6292af942ed2e7e610b1f526199db2347db05bb4ace00cdc8d53924ee439887857294701c3533bd92d11acd60c765

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
567c1cad3e8f9984c269e5e93737a43e

SHA1
05b69b76e2d4afb09d5e52f30fa551615235ee27

SHA256
53040e40947400ea518021d4ff6f8dec27a0bd38a0f7f36ec928fecefee90daa

SHA512
75da374aee3e70c5608f59c8194c2dafecb7122df1a9690e27f7be4292ec4be753cf7759c3d4e9e9d100ef00b7675c489ba5ad77e605238d80f37d5d80d1ce5c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e7708c4bf14f1cf74f01b1ad88782edf

SHA1
4911c477ec0b8ffd75e06fb23efc3604e69701b9

SHA256
a465aa536569a9b84071b68a3a1bc9889f1f855765687001f9e1fc8d7c0b1f3c

SHA512
8e5da046fadd70a368e00ff98b98fcf2a7562e2fe5110632331f401a6ae6aa9f644086671df7da7cbe1e7f831ca8f5a1902efc138462d29c2ed7c73dd95323db

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b53a4db14b6250fd2a3b526d6ee3ec82

SHA1
7cfb26feac331c4e30244c5c28b120e7e5f15153

SHA256
8c422d8f49003d49bad045e5071fdf16bf8d5c6b9aa2f87f8e698b29248819e9

SHA512
c0f2e055ca41160eb00342a10604baaef472ccf23a7c9a5a0b82ef714f4910f9a117bd81706da8c2694ec84570221d31fbc6fc5db4d86169593d531fe21353db

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
19a3e260c13398facc9a4a93a06f018b

SHA1
85d3016d04b5070dc582de7b9da9bb3e163cc4a4

SHA256
a245e450d31593a7891f1b35fe1e01c7d800d7906f1bd817d5a44cf84aeff48b

SHA512
45569c01a617e1c8bf6b310934208df0b037b0deb3b0b197e3c78817d05f814ff6df6b7ec82f1b44ae14d4edca90323ee5182e4d8dccb66b0880fc781c1dcce7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4793ee006085e07fbdcf2b0fb8bab099

SHA1
0c27e0aa012f717a9930e8db94b7e8de1a693c99

SHA256
6966c38c5a84aa99e8f8d2c3b3fdb5dd97ef545322b8a3f5e9e78331b2955619

SHA512
ea8b81905201ab9afb22dc7118218f42ad3b58deba4fba7a631ed5ba7d706041d1f4a3bcefde2f7c3193a35a760d4e852d15398925ff0be9fd08d34aab601dd4

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
094cd085cf303233f3380c0f8506e241

SHA1
7f62710e34dfb64bfbf1ae4417dea442cc886602

SHA256
d5a9e692c2ec46672e18c982ea3088c01f4a88b4ddf261377343e08d44906b05

SHA512
c979f941cf87c22e2317b43e25d913b21855a86380cc5c33c45bed594caa6221e0d329cdf77b955633127b1905cbe6aec193cafe8cabbed54b45ea92ca75771d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bb1b90a29702950539d8575c388aa8ae

SHA1
d7d53a94ee4742a3e6b983e7b122b6762b0060e4

SHA256
72e98c8f1b335d08477b2eb63440397167c661180d6e351d15b752aeb2aa40f9

SHA512
180d5260d0eebaadcb10df7417994bde79803cc5b88a02a70a67a680b4e8c8ce94b4389aef7aa9ec98e7849124a2c0f1852422d50c2078dbf9c23c39ef437711

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
49696552b969bce8b5981a99ccd75416

SHA1
7ac05db1e10e71ecd2c8c2a9c659119dd50aa396

SHA256
0a9e4771581f6f0ce0138a483b0f1fce2aa6f1ed4ca3eb5dde4caf8da0880856

SHA512
79c7b6b0a26e045d262292a283ce73b48e7e90f1be3d6520be03f63071588f058d62b81bacd85d7b48e9ca522608500ce557bbdf076a3c3d8439967e7ab7aff3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f48d8d907c6ae0df989806dd7e5ace85

SHA1
ee6886a2c51ec32d723ae820b4c3f13c729449ae

SHA256
6c76cca2726fa51352872dc8b75dc09fd8989f15e6035f2ad31fad9193054606

SHA512
247a6be42ef6bc72eaff6b292abb910ef03375cf9cffdbc58620289deac64555042a686b62842bfba71298413e15ea968309ed750f02ab09c19337ecd9ed649c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0cd2762aa33fefe5ca79a6e42affcc33

SHA1
aa28e43d43a7400709cc6cb89397a2a3b26a4874

SHA256
8753e9fd5bed327eba7431027d938939457fb5a6885e54a13d593f3ad9edd33c

SHA512
2f0495b799533085f3fef733bc891147b5b7ebe65f324d8c07e9e2948c054bed7886d5ac05e86a2da564f8d15772e1d4e1eb42a916b561b9cdeac8acbb03ae5a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
be01f434806046afd13a5014b7ab7ad7

SHA1
72a572ae4c6655bb4c89e101ed42950a6b912560

SHA256
272b95ed998d51e776656439c6f9014eb56f72a2f3cc44eb942be52b91d90b04

SHA512
a95973d20ba5584c91b6f126e58f8e718fd243e9746dc0193c30339d816b7a8ca8de6a566125024b9189504384ec8483bac146954bb6e028abb10a27a4f55ada

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
48af857612e35d64aba70f83155782a5

SHA1
72365beef653b9b3ca595532f6c2c7da6df14376

SHA256
2bb1b0002bc908e1c346e77c4ac261d0822923aba70adfd089453936cf3404de

SHA512
fc542e71e4b684a342500912084eae28b6c0f54dd159c57d43016f6eef927db6eff0d00119fb7da25d68fa1af1bca8dd0df022881309704272c070cf45c70fb5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
aa7a4d46d47cdd256d4f7c3292462075

SHA1
30a54eb3778434dc0c0dc94f356176c7626aa4e6

SHA256
f58b5bd5f0a1db787a30ce739eaa99e272723924343938c2466f44dde29d02b7

SHA512
a3da8e75f21d8a38797bedc109fd21abe9b3a3bbf0c53c2d552c23d99f9464138d485fb791ba9582c73739c22eca770f0bc50fb4d6c65e6677445ddbb4d034b8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
0a9860dbc535cbb8f251eb8e8277a1fe

SHA1
7ec59ee73239728c253e7f369eee043e7a47975f

SHA256
75e9955e3dc77e1bb256cc83e8b1f2493625deb0790ee3ec2b033e6b4e5d5933

SHA512
13a5bfad6a0d10761b4b16cf47a71e97d6c2f1977544b4fba17c2dcf07c5d285f9473b9510c271dc4540df563f5726c796c271540524f7976b9034ef86fbb5b3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
f69343d2c60870bee542fa7b47f1fda1

SHA1
c968ad685c0f0c7137fd34fbb8e1c9398dee0872

SHA256
743fd9fdf7e116b77b886d1d5d9e4b51686a99f8709be93085b403d024300e59

SHA512
861ad4ef6cddc3ebce7e8c60a4adbe230584fcaf18989d317c58173c981fe9b2077083cfdebd5421f3fe9c224493d6c4b471b0cd6bc7b29ba3fbb465534cf22a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
3806a11579950713524c375dfc652bfd

SHA1
88f6318c7c8a63495fc286d205b5b1186db35ed1

SHA256
689a53a75950938a6dca3c09dcf043a9cd3acf9d752c9b2bd35f7703810ff6f0

SHA512
0eaf327dc35d19a6c433d52a70eb89e125c46f97eb8b32f79b91f9f6cd51563fe9d9b1d3262751a00e3ca1301e265b19ce041589cebe2525113b4690c06dbf1d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0522379960fe8284156edb69f3ec2e12

SHA1
d2efafa22835de249cba559e08f080f2032631d8

SHA256
5d2442e19f8879f7ffe11b36edfaeed0e76688b212a6331493cfdd5cc0363b9a

SHA512
1284e607119205ec5d58bf0fec78878b90ec0b49f4c027a688f13918cd70224dadcd833ff4a53738ba8d5027d2e91cbc519ff8fe30e8126d60a7065c153473ae

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3b7d0a522a4686d0c3b882276e9a6a66

SHA1
5f61075ba0b619aa692dfddaa8a55aba0af05ac8

SHA256
eb0b8472b47dc9cdeca13a225a9b1a8d86fc91771806f7e547772a6b71465591

SHA512
3f211723aa0c399c835972da916f87c20468db54df51f7da59479db3099d8b52460d9f77b4b74fbb646bb6512da3d915150b7a51aa8aadf915184dddb6875ce6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
100d632fd3793b6d18b3d3f6956db77c

SHA1
c5641235cc8b3d20daddd4ac982208241ef8bb7f

SHA256
2bef2bcd776c5f71c0c115dbe6755be5ac153a48019aade4c77d8c08e23bc36d

SHA512
50e7eda23288e1f9b61122f3690a0c465ee4d30a5d2cb7fad63d13540c7fa29fb24ffd1243caa0b26a80d7f97733c149140152b4fa821d7891a720a4bc629099

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
44c495e092faa586b134dd0938395c51

SHA1
7449be5b4a4c09909e7bc9e1c5a65b0436f087f4

SHA256
20bb633bfdf324d307fc38cab617cb2e75b621f47f0543accc9587815d5350a2

SHA512
9db40ef253ec1628115f799f5ba68323fdd9b3da93c69cd525379e7a60a4975438495aed562a7b7bdc0fdc5c6267565867b62f75fe3a851549c06a7d865feb5a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
8d87cd8bffd5d7cf3e2e4a7d8d973c21

SHA1
2dce35e536d6e4cc4db8db42cd8fe3e747b8d5c4

SHA256
18a4ad4bac6b1de9d11b9c38e1c41a2423f6392d4d1728470e9b9a206e8fe93f

SHA512
a4d6d67fd4f2d9c0b350b212d3d5d84363a118b6d56e20b93e497e176bf47afae91cc09b2163c0025000a79decbe78a36e3c50d0f2d4adfbee00b92b59a4a19b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
7c99f8e987ff743e37e97b00286613af

SHA1
28f65f96655f98336c0d51edb29ea1b1c46f6c8e

SHA256
e59d7fa86b05573473bdb8ff7c5a401d09ccb1a8387b75bfe86be38b2b181458

SHA512
aff95206fe72d6878615b241b7cf30f3b926e5d37d0c6af980eba956c7b658fd4b98186bc2c58e490d359bfffeb578f747fe9a2cc2217844f1d4f295bc0d7804

Download Submit
memory/552-329-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/552-769-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/628-299-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/628-767-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/668-107-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/668-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/668-115-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/668-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/668-127-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/836-759-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/836-254-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1008-159-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1008-271-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1008-158-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1364-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1364-118-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1364-126-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1364-124-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1488-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1488-153-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1488-143-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1488-259-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1488-149-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1652-764-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1652-287-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1804-286-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1804-179-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1864-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1864-758-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2216-192-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2216-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2216-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2216-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2704-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2704-770-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2924-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2924-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2924-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2924-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2928-86-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2928-193-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2928-62-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2928-95-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3356-768-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3356-311-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3512-310-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3512-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3712-194-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3712-298-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3928-200-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3928-322-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3964-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3964-272-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4276-548-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4276-232-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4744-335-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4744-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4744-762-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4840-260-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4840-763-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4860-0-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4860-7-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4860-722-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4860-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/4860-151-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download