18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
Size

1.8MB
MD5

e0dbdeff6c634f95710df5d714b9081e
SHA1

4d93e1ef61bf338e93b677e1a4689164661566dc
SHA256

18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1
SHA512

befd430b4b4593956e2e1e8c937a9399dedec89dc06f998775b374e3d75178d186d4215d77c679df17ed75fef026dffefadd90f46e4992581cf4c2038b8a090f
SSDEEP

49152:0KJ0WR7AFPyyiSruXKpk3WFDL9zxnSrJE3jM2ce:0KlBAFPydSS6W6X9lnwE3Xc

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2944	alg.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
2964	fxssvc.exe
4628	elevation_service.exe
976	elevation_service.exe
4432	maintenanceservice.exe
4812	msdtc.exe
1096	OSE.EXE
4644	PerceptionSimulationService.exe
4324	perfhost.exe
3464	locator.exe
3212	SensorDataService.exe
1084	snmptrap.exe
2040	spectrum.exe
1356	ssh-agent.exe
372	TieringEngineService.exe
4968	AgentService.exe
2828	vds.exe
4360	vssvc.exe
4412	wbengine.exe
3224	WmiApSrv.exe
3332	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfd817ead45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\locator.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\System32\vds.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\GoogleUpdateSetup.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\goopdateres_et.dll	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\goopdateres_hu.dll	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\psuser_64.dll	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\goopdateres_sv.dll	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\goopdateres_mr.dll	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\GoogleUpdateCore.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\GoogleUpdateComRegisterShell64.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\GoogleUpdateOnDemand.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3009.tmp\GoogleUpdate.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5069bed709eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ae7acfed709eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b306e4e6709eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf57b4e6709eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009551e7ed709eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027d123ed709eda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d25c0eed709eda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2356	18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
Token: SeAuditPrivilege	2964	fxssvc.exe
Token: SeRestorePrivilege	372	TieringEngineService.exe
Token: SeManageVolumePrivilege	372	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4968	AgentService.exe
Token: SeBackupPrivilege	4360	vssvc.exe
Token: SeRestorePrivilege	4360	vssvc.exe
Token: SeAuditPrivilege	4360	vssvc.exe
Token: SeBackupPrivilege	4412	wbengine.exe
Token: SeRestorePrivilege	4412	wbengine.exe
Token: SeSecurityPrivilege	4412	wbengine.exe
Token: 33	3332	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3332	SearchIndexer.exe
Token: SeDebugPrivilege	2944	alg.exe
Token: SeDebugPrivilege	2944	alg.exe
Token: SeDebugPrivilege	2944	alg.exe
Token: SeDebugPrivilege	4804	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3332 wrote to memory of 2412	3332	SearchIndexer.exe	117
PID 3332 wrote to memory of 2412	3332	SearchIndexer.exe	117
PID 3332 wrote to memory of 4424	3332	SearchIndexer.exe	118
PID 3332 wrote to memory of 4424	3332	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe
"C:\Users\Admin\AppData\Local\Temp\18d309744f633b1bc9774e21bc7ba773274859c4bb66390ed62e0bbcbeca87a1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4628

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:976

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2040

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3224

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
218c93825d8e9e2999732f90f268abee

SHA1
ed5a24ccc51be1996b3c6cd8d45fb5822dbe2c3c

SHA256
29d1cee808305b79f69a47733e7e7edde90039b569b78b81579846f456494b72

SHA512
76d57b748632786cd49620ec633673df6d970c085984040338c74b3872e0b6c3bed47c6495b4d4d0658c233af70d05416396fe075ad9ac01454022a7c2b5a11f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
67aabfae214c5db4f2c7e6e281318d42

SHA1
2191238ad0a42537db87f1e8ab664d08ffd42fd7

SHA256
0590ba3a74559b8425747dcdb08505147f1569f8a5b5cb10e3de055747d1828f

SHA512
00db800ec0e77ac6e32ea579f19abb6ff2700da1133ebe0fb8065b4ad7c7018594f3e872e6291b2f1102bc5e7f84b968104c8b4f5a45cabeff8f7ab2438e459f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
31cf99a657607a5490f9d9a92ebdf8b9

SHA1
04829ad9b2167828314988421502c969b640acb1

SHA256
8c7e15a287824732e3a2f037765b963026db1ba49582e1cd16b4e1eb277e5b39

SHA512
52ba1852a1e3953208c490cc5a361e1866a0ec7101ce9be7f65f44e0d4aa97d35ea679e96ab6e8f55746bcb3ba1fe7a61d02fa734026bef4a39799c936d0f6bc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d8aca78099aba306d7f4c11c5257a6f4

SHA1
fe726721163c1e4aa157610271d81636b16fc168

SHA256
482c6a557ed5d720dfb8ce1885ad577be5aae4317769b86cdce499070b1f64a9

SHA512
5b03f5f0ccbdea7cbba9155eaabd1decf808ab720ad79519dd1db8c41f9a03f73b2ddb80530a93480bd8717534bd7066097ff35cbd6af340bf126300b104e0dd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eb4d17faddd589306efcfebf3f1fbb86

SHA1
dec458a3c75110b02818134a2f49aa3edd672696

SHA256
abd02f3a89f85a23184492ded992e7d7f347ba46927b48d59da6e50de9d017b1

SHA512
7fa7ede3691c9904c8828c1a76c26311b9e5625f645427bcfe2501a186f336ac42a496497fdf0fbebf061c16b4518b0854b47bbac4989136dd0eea5be1fe327c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fb4bf10b581aafcea2c5f94d1a777199

SHA1
69cd79696f166e90be0df50c4f25dab6b59b3c15

SHA256
9016cd51672c35769b537b47f905c85660aaa864a7ee2fd97d72e1d510489689

SHA512
68e7bbbfebdee3aebb1cdf06ee7f08aed1047cd1f8b58191e7458e4da3a777917346ee0518bc435c993383cb56e941f42118f8886825c68263e5c4e3759b4efc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0573cc30872c8163379c35a95b635798

SHA1
d00baf946420a23ef548b2b1e032d628827f0119

SHA256
ac8985f40a9b16a607e20858bfaa70508756985c03931e4cc92db75184bf41bc

SHA512
902106eb514828459a2198a00d9d588c8789ffc2a558897103da20198a635cf94e6a29b6ae6609529893a346f2512b3c16bf01fb78d65787a043f4a315939553

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
25e821bd606c49f14a6fab4fa66fd6c6

SHA1
83977cffd2ec1defba5b1767f01f89844f2162dd

SHA256
8add23ab264eb7063bb7d2760d9ba0d5536b05c10759ffc4db88c4e741a998f9

SHA512
1d2532ab49248a07aec0ddb89c0c0bce43473d059459e625c152daa2c32d81717d47a46ba62b394305a25d905d77ade462faf42682fcb7d5370b6a8493bc8c16

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
e769d8051c250ee4231c29653845cbeb

SHA1
9673a5379a43a0a44112bff38c74e93b8b8ce460

SHA256
223d2fdec015ec2e1603d845a75e666375196477af23ab79f71c7190b7fb98b0

SHA512
9d59e47cb709745ef082c00a661f83ba65652a0a67730aa8951558199c9e10133023d7671cd419c3b1d85dbc57f4e9d095f98cbcb58e14967e949f993c804848

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
01eee1a253e106f76fb508ea42e0b097

SHA1
d130d013b915d7e4ce1acb0e9dab7d8bce3b49f9

SHA256
0738615dc1961776887b846ddd75966035d477f27be284a81e18d1ccdee8060c

SHA512
a9a55020756c04c4ce31b4f0d1b47ff0c5a0c8ec3621c55512ecd469eb4e86d339fcaaca094192c5400943faa56ae68af03481cbbe58f33f895987acaaaa61b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9a84f368b8c0c2112ea34b6c2ea37ea2

SHA1
ab80e610b7419f926c0ad435ad605aa9683e7363

SHA256
b10d3fc754f1a05932ad910f0c0b3638d420fcdf8b1bd5fc0fac0c8161782a6e

SHA512
2a8542ed98433c306e479b3a807a27f54ac2cbf643ed43fdcabee2a2c0adbeb6a928f330156fb2521d8b99e46f5ed754602691dc824713fff79fb2b6c7329328

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4afc5ebfba82cb5a38f86aa4d59b4b47

SHA1
011b81f7a51860a1f4738d7426d238962d298739

SHA256
6e97c75acd3d4c08c5fdd279349b4ad283a9eebdf94eaf44e181b5dcaf12ee9d

SHA512
85d49738452a16fe2ee33fd8483fe4f7d457ec8facb8bf68add3f3687deaceb8f2b4da1ee3e92835c3e7881b81acb5a7f8dacf13621c1baeac48ec99481a31bf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5814986ca6a6ef648226fd3978d8cdb7

SHA1
a990d833aa6d4efb3f22e58cdad0c19026770e45

SHA256
c0480ff4b93bcb894148a11d94598a92c6db5567e2738bfe37ed457f8e28a5ad

SHA512
92657b328a437b87c214ca3c018517b8e73235b9b5e5088f043c4520326caad71dd552ef5c6c46af3892408e287bc215858895a51bdb03c04e6a44befcc1b230

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
68785bc8b0929ef6a6b20c05d6f285b5

SHA1
621835e274f2c19bd3acbcb917e6e9302050873c

SHA256
10e4fce8e1bc67c901d2d2ce46c24a40cd4cae79435d958a17513bdfe15df4eb

SHA512
553597ee93e4818c6ac875c2e104153703cfd26a4b46f433eea0df5aca7f94b66bc2f9512378d521e79b8a9e516b68c901b93910e34159d89f6ff1694f3e18a9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9528e80c6f0808cc74c072ba35bc5679

SHA1
924ffa9bdddeacb4ad001019bd6dcaa63553882e

SHA256
1b2fb3b24334efd29ef5c4c8428ba99e4976354e6fa3eb04a79b8b89ad8b0f74

SHA512
d71d284fc1541a11f9353c40fbdd99d51d56751465dbc97efaa00f8636ec25fc69b28de7dd618563f2676bb2c3ef0c43ad22bf94e48c88bd17db911db3c49508

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
cc8865408f536d7d0b867e10699b179c

SHA1
194be8279aed76a40830f48e960ce8fb063c3c67

SHA256
675083eb11ed1bc17bde4a70f62ff9e86bca2d0a66efb5e0e099c59ffe0e56f0

SHA512
a1b470d5a60d3454461562c5408bc0fba1d89515fb8d3e810b10851d4f106cbf4cd9c917bcef8c9a2920efe82c35d9ef01ab7417f22eea22baced6bc42d3cb12

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
1923f353214e25c3fdd9bd771f0fc392

SHA1
51ec770bb4a68f4f12776994ab5f7542478d5f64

SHA256
b43a4b6005d18bee53bdef999c036d43db96a812526f41ad7486b1d70092c5c2

SHA512
d294d757fef00c7a3c542c764e1b0a21097fa09b8eb9dfcde77a91bfd14b3525761f69a38fcd3ccc151810f62581083a609c5cbc299db8f2ea1e75d2d9b30fc2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
1ef61cd7ea8fcd0abff354c9e4965c4f

SHA1
440230e8c0a4b875e5455d698724c3c0b95a57c2

SHA256
bf7f570199a5e9a8c7420325a8e7fffc0fbaf44e7d474bb9c6b7cd47b029673e

SHA512
2635c6b6941dd03d60bad054e28d676d0d45ee95824d9b401e654421f2d74aea69a768e8af808ed1f5a5fd779172286d35272e18351066787326fcb2febbc1eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
a2ba1e6eb00ba4c5a7ed32c4570d2575

SHA1
f03c2094282f0383ff478e837d9978727718e1a9

SHA256
b9d97521851139bfc4629b970d1dd282789af2ad2b8935b8ed25dedcf2863124

SHA512
c88d117ac99f7eca360ecaaa67601a5b148953a1b9948ae9407d1bb61a6709f8794ae22f0b4663ac8b0f4bcf1260a125262615b8a884045a9bd8acee5fde970c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4b419770a42554db78ee93fe071a8d3f

SHA1
9bb751069170897660b8fa36372099231d15339e

SHA256
ea5650e255f3e0d43c82f23d09ab8cdd9b85797f9aff515d2b715286c611e1a8

SHA512
360b33ab9f6268b2569a75e9b80154091e1d60f4e178a623bfe88cd0c5cb078376b5b9da2df9a06cf2945695b2fdf314819499fd8fa01f75cdae27fdc3f9148c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
db5408d929aac6f2055fca9c6a73203d

SHA1
0a49d10067f3057659266749da4b09263fa8c464

SHA256
6a60d648d769ced6a3064c4dd4b5c29b6fd1f392143e88cb37bed15e13b903b2

SHA512
1046655cf4f9938e5fc7f8e7ee40e3f5d92332ddfa5e708e5fa2b68874b3947d0f0d1546a0cd74bea7b8afd6a47d3105b8ac20fc9bc9d421a1984be1163f399c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
5277daa442af4709e56887416f8a525c

SHA1
6ccd64418a445f8ee1e52274a2eb01c4f160f7cd

SHA256
45b6d33c546fc814241997e4e8c61cb34bb45ba9b792a81fefed2dabc8cf9f5c

SHA512
d62e9ece23f27c288519f0c60cecad6daec7502951f03576b1cbc3545d9af4c4957d8fc5605f5ac386ad07658b74a2e966fc4e27f97e495a209a50a5776fcf20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fd53c11e22fde23c57d0844f23026669

SHA1
d50c56cba97ba2f8b11f6a58d3e356a3f699c620

SHA256
0e5b706126c057b70644bdc679a784babee383dc8fc88b7fb99d6de9e794c020

SHA512
6311da33ccc0d0e9d55b6719b9cc43e5bc785ae59730cebb371428aeb890ab2a354bfdf1892f9d4500dfd930ac83741ed2988ba63b4d1acd22d42d2eea216d56

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4fd293915c1c86fd14230a01123275be

SHA1
921444696f323c9f0c6cdf537cfc68950d583bca

SHA256
95925353b0e6cc123e1a332c7487c3b89dc279ed238fdd3fc7d7021e2f66a69f

SHA512
c7014b041d2c33e4fecb6b2628ec5f6e7cd578cb1edc335ccb491b2d986a0c2f208d89caebe7dc0b8579c602857a617258569c5b3941bd8928d79c0fe73df5ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1810fe32d4467e1173d060c3be650c6a

SHA1
96fff29543f37863f8f388b793127405c6fbc6a2

SHA256
b7e50afa12730b5bec0b5c8b4576c7391d3a43fcd501ff9261b1970fae5c8c2d

SHA512
38a3cbf4598010a54803e5f6806938bef6702f904be2a09b3c07aabc92b58ec4f8c0665fcef529e2b490b8baad6c5a4957a51796ba16f49a861bd9f77d2a31d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
56af47eb9577ae969a46543bbc8ff46d

SHA1
ca63cea939ac36805d09653f568b0576c7a46f9b

SHA256
ac36c47ac4a244915b811cc6eb3343c3ec12cb766ff3cf228ba4ad4510bb152b

SHA512
eda8669b5b9ca4c5ff8d1e0ea97a72604df13b870c909d3e0c842299e8590cf72b31894be0dadd00f61c5a86117b44b5deddc57ea01c1942a845885a8c00aa32

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
409ddc0c7bd5f78208ef8bd18648192a

SHA1
cb4ba75e763dc6c3a8e99be908959b7582f163ec

SHA256
9f1c499f3330f9d6294436b9997271ca4fac37fe23bc38d122dd17349a4289c0

SHA512
fc4804d5e6b9a0ec2cb9c071a9aa910a692889d4f25a97101c3546b087b4b20ab7a42ed68d5214b950ebf528e3b7edf87979d58711eac0493df637c4a3c76e49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
390f847cef6403542a9c3acd41a68290

SHA1
934782da82aa47bb5843d115713096f6932b1cb4

SHA256
27247b463af263dc455b17697e6240a7f921026e8cbcd74165c1488e412448c9

SHA512
df5cd9186f51a3237b42cd152f531daf40418ea1a2443440a140c6e15f204b5dd57c675d1bae3ed52f2781b4d4bd2a3a8f073505e19dc6370bb2114b8ea53e1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
5e94d069dfb9de81d483e1b31c5605d2

SHA1
86dd8660ef95be0dfffecd4aa4dcefe391a367bc

SHA256
166bb755fdd49d4f964d872505568033960271835f2c2c0f317adc8de413f1f2

SHA512
e01c83224c14a30c7bb71c5efc9e48c1a47c112ae409a6ecb3f3bbf926a72590b4de80f27a7239041e3dcc12896558e3c0ec2616ed56bfdb97dfb8666a06d039

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8ecbbc0d02624859e32a11de6c6a0de7

SHA1
be00a8fb5621d6222f89ab4f48dc965038063047

SHA256
6fe15f65c5a7d9e013a08a969d5ffe357d16c213c14675fe3300ee071c14392d

SHA512
ecd6bb07e15af2ebe28381bc9dc611f932324a688f3ee617302f6c05b87cff8eea30fda6c941c7cf8d15bc7ff29b8c3b1e5155397d905b5ce14e0d809da132e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
24e5da2696cf077a602b04cff5113667

SHA1
794bc985fba2bc9573781a406f17027df4f5781c

SHA256
9f3d15a3bac432a54f47f6e034440127d17920bd9c1a5e066d57c95015a0f153

SHA512
c14328383637db8439dfc9cdd8546d32356dc61d0848898755b491d2d963a2c5494220809570425afcd587f94f5c4d00f3ef13bc71f0dac74854641e76ee55cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
63ee20eb3a1a14e7d5cb7b402b007f5d

SHA1
44193be5240904193bbb81c84b3e6f20a41918ab

SHA256
5f45338f2650226e310a26e5deada704589998e09a4ed5e0f0fa1c398f1cbda9

SHA512
f524937c8eff627ff57295a433b2f0a0e5ac73d5872acfb76a05cc355acf4176f5c7bae6b321c101d52822f447222c9420e17aee2a6e87ff755141468150a17a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f7ee23a71ef6e71df10299bb5399fb32

SHA1
46f4524cec9e8df74b011843e42294184120fb9d

SHA256
1891896f38ab91af72fc4d06d26156edf5262521583e55c110bcce9349b3d489

SHA512
7de01ca3328eb03c294049847e9af315139eabf81db7dc28579f84d058cc17a516cef519e730bde4cccdcb70b704b56d48f1ad46e7f59cd99233b0840c0450d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c28d61603850452216433a2ca5b1d278

SHA1
e8f77ba604c07f1159793d588710c20a1ca08395

SHA256
932f86e8348ece2e3d08e22a6806e0720c4f8c1d13db64b952ae49222c345be6

SHA512
c7c845c4b9dfd5c40d8a4ffc8baa9f7afae79276a7a67b9eedf317f45ce1b7e22da59de70ce3906010ee9a9cdff498a49fd318e961876c2854834a78ec082d7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ebdf2bd483ae2a866fd1b13c48a69bbf

SHA1
11f02f850ab6cadc7700f83e1299b75835731ee1

SHA256
8defb93c8df40b7e7aa527bb9500cdac80205411aedcdf91161488cab4bcf71e

SHA512
18ce296d1c1331627be7beb1040bc953f845bf8118df3c8970295b6b35762487528a02473fa84ac0e0ca4344c7966b479069422908f1f024ff896a1c337b9936

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5aeb796915614843b4467202747d1dd2

SHA1
acfd5782fd2eb223a9ddca589574af266d074fed

SHA256
e0eb7ebf4f65c4841d4cd54d6e1b57db66a8f030e488ee3f035977b245740f60

SHA512
85da113e941754d7cae62be51f4c9aa2704debca2a5bb079c4a085340f7475967f23535f02c8edbb8899cecda02d0cb9f704a798939b54c3264dbd43464b9afe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
fc4c89adf4a5a6f276d150177b3e5d0b

SHA1
95db7e3a4508eb56f381e9acc23421ca6c474823

SHA256
3d84d8f919a6097a32ef67a26d3467e6cf8b3663e72494929627ceb9452a6cf0

SHA512
76625e8f390d9a1672515f2d3e9eaa5a600fcb2cf06331f639dec7104e6cc3a65daba7aeae6fef43d39a5f8892e764974a7969b82ba0853846ba6880a629e37d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e39591333da2fe3ccf56de2cd67840b4

SHA1
38ba2cfbff0b190897b90360df2e928699800342

SHA256
b98b3bde106b969afba5de86e388742a5325a844a070ee04e5d1491af3ccb126

SHA512
3b539ee177cf3ca6d1c3f45e09544a9ee3f0bb88abb9091ac3b203c641252b7d4bcdbb3d4161148c42d52bf254c2dafcc2253685e0312c662ccd4cb419a695b0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
f0e7313ab3588ae25b5c67f105c85795

SHA1
28b886b02c1649e94a2ef1817ccb5befae4467e1

SHA256
3445e29eb1ccb2df061c72a097aa556b71e30af403fefeaec6fc2031366cc50e

SHA512
cfc8f75c3a8db938892a07f6d7423c4c486545c9d11f643142eac4c596c06eb0cbcc90be2923709ea113a133d07f690dde55bfaa2dbfd532cdedbd2c6e202fbc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
810fc823b593279ef481d88058ddb3e3

SHA1
d2d2a8a3b918b0482a08626acba18a297a1b3a4b

SHA256
3338fd12971defb742ebd74676abeaf345af3cc4e92b5f73f1f59a98cff987b3

SHA512
5ea525520dfcba732f44857ce3ac52e178e2ccbe6f0e17ba30070389f431cf73fbd9b37df413fb94f800c7ae1f05ccdbadc29ad5c06470300c3d96d7e3af9e2b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c8c3f1b38d12199f12bea8913e9161ca

SHA1
4136c2eafd2668f5fe60de27f96b0d395bc667eb

SHA256
24a689e31a15af98aed0b80f048e5a6015fa48be689a280ab8ca9fbb79a879c7

SHA512
1fdc22bc880332e9df9f8c5ad2144384cee2c4e6105f41e491a3b3bb6e204647a29fab44d54d107a50a74f4bff04ea16b683fc95b3dec3315848940dc48d3928

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
26baf13f14ac441004caacec84f2799f

SHA1
16a8789e1ad8bda133c7e40ef6d6f341d43f8fa4

SHA256
a8957289c7fe150fba9ecac123f31e3e1264a0929f1cd669f26b826ca1e86e6b

SHA512
469c0172e80eb2061fd0832bf5a20ca4d878e971599d7dc5cfb452676c1839e07fb5861c56d6be90b2e522107b854428311e38bca324baa032223a19ed20e06a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b91794ac130d84bd4c45360f3ea977b9

SHA1
98ebe914a4ccb07b5f891942ce65e109a68f3319

SHA256
d7f1560c64a9fb099cfa47d4fe754f673d3594a351516f8d2f3dbf8ceb4bb5f8

SHA512
51266bfc28d66e31fce5c21ef50211ed48d37c87f1cd10a5df5bcf59192f593aed201016efa6f53e194f919020e411d24798b778e5184f5b26d00b3126d012e5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
93218fda668402640e42a8953980cb49

SHA1
1718434d901500c20c67649e282db01636d0af62

SHA256
f93d2d71c1e5e6ad4254aa0d8a38834c47db654d33428ae2ce333a9dae9e2fae

SHA512
4c8b6e04ce85179864ad675aef9f8e5b566caa7e4fdf1414a6f85b25a64a407d76e7087dd0f954db81f153427f42eef56cb4a9d32ed785a392076d1d6515f517

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
eeae9d9150d5ddac9fc25ebf36bc1f54

SHA1
1142cd495385b15e2c861373341fc6237fd32448

SHA256
e50f11d28cfc1f317b493d7ab1264d21536117f39440346a1630eb7a9b29d76d

SHA512
08732751a4e24c3c01d653f957af16a63ecdff4ecde15f4ec0de9951330ba63f68ce309f9c2db517d9dd14e657b9b485002cd68071ce8a2d48066638bd8b6919

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8371259bfaaeb66169e71c1c4132d91a

SHA1
f7865453c5c7989054d67b29f9b86bd6e310e53d

SHA256
9fe294f49071b8f51483cf01865703a93b0a17aeed4b4a145ab3e2e03037b2d4

SHA512
262225c35893cef663086dd244a9c8be119e2a58e5baf1e566b554a787df5235f2bb2def288e1bd919af7b57d4c7bba2b2d351e9c9349bb9bee1ea15d6124794

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ae9133518fb352e15557064d5616c21f

SHA1
4902011d776a3e062888ee559b8b49801a8b1784

SHA256
a2b55d0aa571f666067a886359ea580f083545702daecf9f551f343ce63b7bd8

SHA512
1114b6567af4b899dd428f4fd26274a2b9022bf2642dd840bb6a812e554d511d95f0384c17d205de55ce43655a41f56377e5911b55dcfc8778c56814ce4e181c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c48f19b36d3b2eb82b4447337b079921

SHA1
87ec4843f99c3d2b47e50288033fd44b8994767e

SHA256
b34eac8efc3bb8d3480afd33db2d7f48c57947111f926310c5a6a719679f4cbe

SHA512
6bb2ada546e7eed1548e4ebbd6971a1fca7006c2eeef3404f8904386ca187e6db33625f99cb53da5ce80165f222b0ab004ca63765ca3a8aca349a03224bd4ff6

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a26e500452ec43b04b22ac4fead3bd53

SHA1
89092b2a15b7c909ff5efc34b64ca6701f9b011d

SHA256
be1e50595358b8225e6fd2533c96bd52506a9e14bd66560ed073f6e3bd8b846c

SHA512
5bda89ec31ea2607817240a7a49e68945a45cb17da534279b34aa0bd616ecdf3bc4568b7faa3b9e3cdf2f3c6bc0221fcf16f17387dbf750294022828ac86c27e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
117c3eaf438f8d699998f6ded98d35b3

SHA1
9e7e98b15a6211f5804746a98d9383018c2807ad

SHA256
ec1760119769eabce1cccfa4fd81c3aefe37c3d9565adc2a7372d8185f652450

SHA512
9fd7a05559f358e629de9e320c784bd752a74f7db913fa0ebba74b8045cd4b0228bd05037b3e58d61a6ab9aab54d116d63b65a74dd43f906a0db492e7123b092

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cc9276195334126070cb304f7f1d5877

SHA1
9d51d4ebb43d016ee537ee3aaad09614dadcc2fa

SHA256
c33ecb04f05f27d96ed779ef98261e65bbb1cf81b27a88192fb47ca65ce8d1c6

SHA512
9855730a548be5e1d55ce689cfb873eb21595078eeb5b295f51eb7e016ef3fe082a70f380b7213eed3c9a2c314f4abc30763dae4ba18f8da8310154c36b80522

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bddcdea4cdfa02012ed66f437c861739

SHA1
5144563fff99eb2b329a79aca8ca2ff3b0c015f1

SHA256
1d9d48faa2f919a4dffb32abc39e76f7c5bf5cb95e97ba71a0a80f1abafdc57e

SHA512
7eeb599ccbeec0f62ab021dc7b2d0db21a810d5b433c527ccdfb731026e9a06519b72f5e31cb7eedeceab423ee8cae8f370ff19a998952b9f8cb714d0cb60f74

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d5f08a69716a85762a9254365b48fe60

SHA1
979319df6de9f08fb107b0b4f9195480cc241f81

SHA256
30f98d4dc2120430ea63fc4792c2c2b03a19c5666f9caddd1b288a0f40976476

SHA512
d86d76c10a041fc696bb5c3d2cf1018e8ee3a98487119239f93ebeae8d9e034dc3719218af60cfbded2911a3b9554f236124084d377963c5f231f4be9ee2049d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
cfb1abcac64e0749a874250bf4627940

SHA1
59739577b057bae31b9cb5653a51b493617f92c6

SHA256
de71d8976de7251a23d7c37e7927e3827b3f74fb3f08ae210d8dacb7c8f3e7e8

SHA512
b1c8b4239fe6afdd2062b9a215ac3551e338c199835af8adb5243ba9f35db0c2152e100f374e0e2bda0bd43bc866a12e35fc1b19bc14b1254f3d436544ccd800

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ff78bb01d31f932e4e7ea363d657e9f0

SHA1
7de22f24a6828bd4aafd84fc4011d047a6878be2

SHA256
6c92a2d79b4aacf51e37334424002c2b5146a14839c324becc838567eb726ea9

SHA512
c0e70c8e62485f270bf26b5c6006d3d8152ff9c7053bddde7f9b8d2c404106f3ed3be86f032b4f645df247bb909ef4761f7f6d434240c14f083161dbcd669598

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
02882d27ec9983828d877973247307cf

SHA1
6c7d0e1605362c55ae2f560f185a6fa7297ca1db

SHA256
b97e42cde7a5350560a2f19918d39a27ec42c41575acb58ccd808d9e9e9ed253

SHA512
8382d056dc2f067f244d6821da4dcc01c93a520ac0dc7f36fd38530cd5498031e6f8a1e863459c6c9d229f06f122c46f8e377e3b821404a996b99218087c33a4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
da7630d4cc4b539db6861378d0ffcb6b

SHA1
31d9df35c879dcfdf5c387eca075d76bdaa1eab3

SHA256
04516608bb374900967c5f4b3aeb1ebe7cfd5d99ee9268be79d3db4fe683df5d

SHA512
a0513e82267ac9f5ced83b9b5b8d34e4b175b15e3306e5fdfc703f52c76670ed24e88d4224c878a4a35565fa0db14757ae3206ef0c57c2cdc9bd01b379253da3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b2d2d6dceee72c40fcc2158e9c749625

SHA1
5199f3ebb4ee4f0b478161cdd701e767bfab7661

SHA256
bc972527549b9ceac70eaa77cc11efd587450a2c0fff6e7b775c5c3b442456b3

SHA512
eba45324853e86f8334782f910e23204bb76454ccc586eb40479e301b113415e80e9446bf2eaf92dfc7e7b8c33b0c279713ad0b893eb0c251ad63a9da78f9fb3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4c56976b24258739e8dbfb112422efe6

SHA1
ddd57c4c1985d6751494be55e95337a5c60eae24

SHA256
6d765ab1cce90f793b0c3368773f02017a9322561b8c8612a91cd224832d0a04

SHA512
6e09d7aff55d4eed4d3216161a6217725b4fe0b3f2f00b5a1f5b60777ab7b1980c3d2582acd3170b3c3b665b3f53775a35adc4546eb48688553a1e7073f470bc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
8ccd93be3bfa132c727743058bd8f504

SHA1
583c9c864bd4d7ef113cff8de4e655dc54e7b1fa

SHA256
09e87190e9b818e9e4b1305f86108b13f7a96c9738686df349b3e36a4e737493

SHA512
8dfde53e0d89af26c2548047624d3a7f9feefebe8dbdf0ac458ffc3786522e9ad9f3a7ad2adfbed948b2a61ea4a1c43b60392bfcd02d4ad5c0c115e907d93a38

Download Submit
memory/372-266-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/372-671-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/976-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/976-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/976-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/976-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1084-222-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1084-573-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1096-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1096-284-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1356-670-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1356-256-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2040-669-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2040-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2356-183-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2356-582-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2356-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2356-6-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/2356-8-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/2356-1-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/2828-287-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2828-672-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2944-198-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2944-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2944-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2944-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2964-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2964-115-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2964-119-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2964-106-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2964-112-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3212-652-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3212-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3212-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3224-741-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3224-327-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3332-747-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3332-334-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3464-207-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3464-326-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4324-196-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4324-308-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4360-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4360-739-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4412-740-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4412-309-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4432-155-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4432-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4432-143-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4432-149-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4432-153-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4628-233-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4628-126-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4628-120-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4628-117-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4644-184-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4644-304-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4804-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4804-44-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4804-26-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4812-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4812-277-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4812-158-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4968-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4968-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download