ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 22:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
Size

1.8MB
MD5

ff4255ecefbc940a73b91f89b08f968c
SHA1

09648cef9f0236be42ec498c0abf8245a30d397a
SHA256

ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b
SHA512

e61737a82cc77652c1fb00bdcbcdb5a06c8cc6512e26685c90de6fa52a8c30931df070068036b09ca1605120a3f32806876a00b1ee13b763649c5cf9e158d5af
SSDEEP

49152:ZKJ0WR7AFPyyiSruXKpk3WFDL9zxnSi8FD5nb2LLPrFmRY:ZKlBAFPydSS6W6X9lnZ8F1b6TwY

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3556	alg.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
524	fxssvc.exe
3604	elevation_service.exe
448	elevation_service.exe
4464	maintenanceservice.exe
2020	msdtc.exe
4336	OSE.EXE
876	PerceptionSimulationService.exe
696	perfhost.exe
1820	locator.exe
3188	SensorDataService.exe
3944	snmptrap.exe
8	spectrum.exe
4340	ssh-agent.exe
2292	TieringEngineService.exe
1916	AgentService.exe
4072	vds.exe
1864	vssvc.exe
3252	wbengine.exe
1608	WmiApSrv.exe
4460	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\969188eb85ca13a2.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\System32\vds.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_no.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_pl.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_ca.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_vi.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_fa.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_hr.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_hi.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_is.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_ml.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\goopdateres_sk.dll	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM38A4.tmp\GoogleUpdateOnDemand.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051e00a31cca0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005c1a32ecca0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e5ea12ecca0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038cb1631cca0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000724dbb31cca0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e89a7d2ecca0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000783ea52fcca0da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1936	ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
Token: SeAuditPrivilege	524	fxssvc.exe
Token: SeRestorePrivilege	2292	TieringEngineService.exe
Token: SeManageVolumePrivilege	2292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1916	AgentService.exe
Token: SeBackupPrivilege	1864	vssvc.exe
Token: SeRestorePrivilege	1864	vssvc.exe
Token: SeAuditPrivilege	1864	vssvc.exe
Token: SeBackupPrivilege	3252	wbengine.exe
Token: SeRestorePrivilege	3252	wbengine.exe
Token: SeSecurityPrivilege	3252	wbengine.exe
Token: 33	4460	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4460	SearchIndexer.exe
Token: SeDebugPrivilege	3556	alg.exe
Token: SeDebugPrivilege	3556	alg.exe
Token: SeDebugPrivilege	3556	alg.exe
Token: SeDebugPrivilege	4280	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 4416	4460	SearchIndexer.exe	111
PID 4460 wrote to memory of 4416	4460	SearchIndexer.exe	111
PID 4460 wrote to memory of 2284	4460	SearchIndexer.exe	112
PID 4460 wrote to memory of 2284	4460	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe
"C:\Users\Admin\AppData\Local\Temp\ffe7d5148873bc6887e0e8199ea1fe912985088a2ff5e579cda1e1e122ff728b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2760

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2020

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:696

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1820

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3188

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:8

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4416
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
47e558cfb80725f08b3b80795e229e81

SHA1
57c1899628f7ae7c72f1ad84031eef2f855b964e

SHA256
19e7d2d9562f19972b1a3b462988cc33d6d0d7252cff709a133ae571985c6f33

SHA512
5b083e3f44eb57c5ce07cc3b4b380cb682c8993efc732d7d0c6752d79cc86a8fa361d5d7fdae7b1b1e18c10a6b9283cae12e3f4ea116bda290babcb8cbcb1217

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
861588bf99f10cf67411ddf41efd64b6

SHA1
68e098e921a0d44bf89f8b3bf8813212317e4684

SHA256
e545a416d75c9092685008f70e816f80db815e0bef0797b08c58760429cd1a24

SHA512
32ea19896553cf4a21e3ac54b8b686c3a8a3d690a9a9121762ef6d98faec6f22038a7b6b3dcbfb4b7e3758a986109e0bfd360f67bc75f80ac54a55264c7e88ea

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4e99b2aade8a1d746339ae2b0945a67d

SHA1
78cd03d8357b089e1d7c6d7533c3f47ea30c3544

SHA256
f5c5946c8c86ef354c323a4b9ae47615d4535602270d7cd6be11bbf93db86839

SHA512
a6f299d42915e910198bcd8eb6eeb4a7620f241609d9e06ba8fce150843836d13877e18cdba0cbaace3e8e85d19c08dc41a4d12fdb51535ae8be4560967e3cea

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
278bd89b699497d4c1754c82b27149cb

SHA1
38729a630b933f6c63ce9d6bc7128b5dae0bee9e

SHA256
7adefcd4ddaf8a68ae9927213c9e3f5d62b5ef21864ea7ccc12ae211266d0f50

SHA512
bfaf017285c91d76c9c95f72f7342e009c0a0b8c5a2d6986d4f00cfd3e3f5228a3097942744404931b80a531b86b77d4a08c930a67ed3e0f164e9ae557a5af04

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2334910e9d071adfff20b9bf91a4431d

SHA1
a5fee1521e54377faba390d9befb94039000b5ae

SHA256
c7fbb91ddad39716da526444fd8155899725ed0a17d1907c49a600881edaf6fd

SHA512
1c208554416c2471148019e49769c127d3b8974d94bef78296b73a2f74eba55ce77e595a29bb6a9a85fba46371b84e2198b1e58097f7d4bf781ef0637767b669

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3ca1e6d15ccf3e5daec14717839486e5

SHA1
de50ed2f65daa67185a8da99f027b2a9f2de825d

SHA256
9a0684fe91daaae27c0eb3aaea1cf04675c168813ef395e40ed061b892674f28

SHA512
53b8cf9f37132678ffe5c2ce58cd3a390986e191ca22606731af110a0de18bcb383fecadf74b60a5e27d42d2d00cbe3602510f8d6697004f47f8ad2ae48ba56a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6945c95433803a6ac62d8381294cabf2

SHA1
7a69a79800024b9e1ea41bf34f1ff11b29d66879

SHA256
aa894876a251bfc33f4b4faa9d963a3e202bddf5e5e46097851f67f05368ed54

SHA512
09ec6f08d3bfd0ec110015799d54f13a7e6587ff60a12d0821ce698aac97c467838e57e88864ac893129fec9c7b836baa72ca18409b172d343d11f323f2a13c7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cbe77466b0fb4b21318ae694b8952bd1

SHA1
1dfc045851f19c1d3f801f3ffbef2ab151dcfb57

SHA256
4af504d091c55714967deac4403847e60ff4ebf1d3bf71264490a5aa0e04cf69

SHA512
a367f97c3d575e368bbad43cc73d4926177b762f54b352a065c43948aa55fd984e1f11fb4e34487dd3a2ea0e8fb9dc61b43646286f4f6546cfb623edc1c7561a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1cdd0d383726d00fb093b5a66a42e38c

SHA1
cf4e5577265f92eb015b2381947acf86e721d7ed

SHA256
d0e532427818ff982318fe280917b33c1d03bc3d83922a090933a9e90b5e9bc9

SHA512
bb4a0454245f6e981ef5a9d1be4c99570d0d179d45b4769618a96149874d1e7a4c69bbf68084c14e9e9f6355572bfa4daaa995fe25d96ee2d740fc3e76c92e00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ead1fe6dcac946f1aae07ef298417ae3

SHA1
c4df961b6225efe5c5306459dce08674a0e1b060

SHA256
6dbad59786c02f517ced66591cecaf06c15ca32eda1057cfcbd8c8afa2228a40

SHA512
7e42ec1ffe073393b93b9a9fcdc1676394f24a09c5fcd4e371f02366ac474edce9c2c771b33bdbe30c7717c4c41eb98f9c72aa285705a670c926eaa93c5c656a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ea6e3b0d2feb1fafb826a53af4628aa4

SHA1
94b1b8b8c4fa398f88a99ee3a410bc06a6353ff4

SHA256
f11bb1b6e130e6a836efc1c8277a7b418e95f50b73d8714332543c3f3ffc1a59

SHA512
c09957179e917a404a5fe1155f45cbcd2132d11ea97b3efc98cbe0edb9c69d5f2973c671cce2d3460cf5d861ea71204481544c927a6fce61ea711c5db3900d96

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4dda2b52d2c91b9f24d8174b4a6ffab1

SHA1
d00dc8f850341c6cef55033b7bb9441ddf53c59a

SHA256
a17547cfbd50a364abea9d3cf897b16049d61b760a850f0b05fddd7818c9aef7

SHA512
397ae417ab8d3965d4a071731bdcf9f057073796ec9352b0c5d55ba7d1214ef800a2ea6de65a0ea1f2131a9acbb7d4f2ac682803e444d208851e7f9649f846b9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
80d15bce0dc6e93b9b61a67ed92ca902

SHA1
cde24101aaa73320ee711ffbef6749eb09a006fc

SHA256
7d567414b7e505dff9a0dab2224da1fdc782ea4164e7085bbc7fd05f6be51ff3

SHA512
77c3ce0ded774d78893800d0d4ac628fdb2800a4cfd94290bc5cec29bad0c85e02ca6f55b5be5378f1ab51abe9c629c801ed24b3963b6d7fe32410f6695159bc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
aedc1d656f468e0f99a51b76c7e6716a

SHA1
3c90e1ced731e68eb1d0fe4fc3cbbdf61a831039

SHA256
3f3192b355b53db685cd013ab6364807c3654c9f828e3d87404ef76f682fcc40

SHA512
e4d3ee075c94c7529a51fd124d141b1c473437057356c60c24479271db8158ab10a30e5fb22ca542ddf9a5bed9e18158c2139f4ff8e3f3cd8a55f7f2e54fbc05

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9bd54d824488c881ee15831392ec69a4

SHA1
183da93e2035e4603a5ab7e05bec322b6f54eb34

SHA256
2b359b75d4a17b697d1dc682783532273be03418e5d1473e5ac99faa004a0964

SHA512
0d68e778d74200897b57fc0fcbfd97b79a0f7a17b2750dfc339ba779e1ba00fed6cba0a804ce152f43172ca62630a4681ebf2f483ed287d0539b3c2778cdc75a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
c899b66694167dde925fd6fc307a340d

SHA1
f2325d4b0a5e745634a7b675ac17f8cdb88342d3

SHA256
be686b41efe52dfbd6a35edb43467f3e51ff51eeb6c28800cb4040c43583062a

SHA512
ce6d087fc31134af651927a4c4b4fee8b51e8fb1889493d0678fa3c5feab19ef6449802dd2b2fbcf7db6c6e677e7fdad0a9c94d89b67394d4f0f41b51540b52e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
bccde36ede9b41be039d861ed6e66629

SHA1
f622c1f7311a1e98eb8e4d1109a66be596d1b9d6

SHA256
b5240a3c63c7db4f3969df346cf57df6cc8b2089ba8c22167bf02de7e28b219e

SHA512
9dc5374af4720cd0b42d9370480e6367778f62ccaa30e945095ce6652fe68f35c7524cbb140c6fccc05b35afc0022fc02f991b753f0fc44f6ef20af3857a6ec1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
43ca3e49f1ddf2c9beef63ced41d9184

SHA1
8a8731e69cded2c8f9e1e25218f9117d65c56708

SHA256
4905868e221e7a31921e3641be74c7e4799ef5690bce86d03726aca512157242

SHA512
7de96a1864248a77108bce11ca06b6e2f12ab904503e131d92bb5e97f22fdac6f26d4a564be8595d6cbf191b750f5f5c74d23f6c040b3bd52a8da327f24b7280

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
599ca9243c2530751d9ffed9465f5a2e

SHA1
27099e2924a3ac1db9433eced9e59df652814203

SHA256
b783bffa16bf2ad9eddc1a4b18a14ca267cdf6236ad6a16089204488939d1d05

SHA512
e4ea94b651ed69b0576c5b62aafb103b152ae47c41fe2c2f6faad1588ac0e7d710b18faa8a2852c82a6646db816dbeed78c15e83949adf43453aac0932f2fd73

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1e38354753d4b0f111c8bff78b3e48e1

SHA1
eab248f17aa3aa807a6a5a825b7477c677a75275

SHA256
4c691f432789a5accbbb98057db80afac1e9f54be585da0af28c10c50db15bc9

SHA512
3fe650a70961c6aeb5b1a6dd97c69f6282c582a872f8c8bd16598e233f85e07282d3e7ff8d7d4bcf1bc970df05cc8fba62ee3aa313f041610f5ddace38acf698

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f7d51792c1ee11c8b3bba630a62d0440

SHA1
a3fc20139d8531a40aa498e30ea07c02cbbe4b68

SHA256
d302c2b3aeb0afd5456b054b1961bebe4395c2cfa42e0fbcc7d29aaed922391a

SHA512
3e08341a0057af62747e63a30ebbb64af4821e1669bccdc67bb82403545e7383472b3a3a8031b9714ae714e7e39e91186c2b4ca39ecbedde9714e8904d537858

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0e4b3d9930ab65dedbec3cde31046b48

SHA1
dfa403650ae3a5af0ed378ae8b6be8bfeeb34706

SHA256
4be3d58cf5738de04f419d37f90eac1c7331295f7dfb612604494d7f68cd2248

SHA512
cec7699b03cccec23ec08c5d5a3006f30e19ff86a128298afcbaab622a446c734836f85643da2c6385104c37637220e8a1e19173d7315c0b45ff760b5668b7ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
be79277acbfcb0980bc3a27ad7a5305d

SHA1
1772763f2cc8b75d69c650ce8af0f9189aef32d6

SHA256
e479e46d9a96caeb67fa51b35b832b5f27b854cf993cf15482723bdef7a66536

SHA512
ef4804bb2b9acc155d4602e854cb3a9fc1fa8e9fa197cefa2e2507aa2117f28a9fc02833e7b39e49065244465bee719666d7f8c3daf74d2c9beec95bff3596ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5bddcbc6b151e29d920417826b3d77dc

SHA1
4b13c16057f8a5e4924525b1003a4815ed10c05a

SHA256
38a344e90da1844c138888d8299616b75cbc455b16c7cdbc6e75ef44a25f44a8

SHA512
b79b97e59da16d6a2eb113ee193ac88ba06f5a3741ba4b7ca88bd0a9f6bbd150db12ff4a06bbf4dec4cba241f43a0a68340a169ab99e39652ac1a02fd0ac32f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
21399a1069ed4daa850f49798a50d118

SHA1
f80b1bb11475d27b207aac1cb376a596b4ca145b

SHA256
ab9b2894b52b5e29300cca34fb40874a956079bbcd4bec3d635b31ab890acfda

SHA512
9a3b4d4f53999430ba9e2f5baf781ac933db693e123aa6087056281fee612e422b89c498c806f716ad41df39cae84a6b397ec43727429b842025e1bf8952cf6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a4cdcb01690d4b15956b5278ae4ea13e

SHA1
84ec6569c75bb3664aa1d801da5e6b2a02a38acb

SHA256
4693d925fac43415f059797b679f140552f148744931571219a512af12ec1e76

SHA512
8208f48f4b8f914b537dc3ccb5776c15f800a614d2bdb6176f92c3f2cb4e107450e68285c3ef3846813892bd30dd094c10c7882a0a8c90c8b404a3984c51c60f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
908342fdd55427486c5ea62a29f3d713

SHA1
d1d72378158ab9b4e669608f9af75663d8cc2b9b

SHA256
6998935de1d919d57d2668e367d43a6ade60c31d0daf6b790f1a2c14b65ccad3

SHA512
dd8b5b0f8434f7874752be744db66c34956ba32d127cfeed296924064f2e7e3758abb097d1caef0e9ca03e6db2a5d598791442d608b645c250ea9adf9d9cf71b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
49e9c61845a5b16e13265fa84dcb0505

SHA1
3abadc3c85e14b526afaf535449bd34c3eaa7703

SHA256
2816b99f74505a148c2f62a90905f97a48d9736d1bf5b3e73ef53530156077b0

SHA512
faaaf75b43b0de036b5d4803b7022f6e10b3aae6eb699af7f1acf91b28911ff1f18540e446dd8a5d5ad585da25ea1723c56c23f28ed9807c643eabe50dc2c290

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
42d033266e7787e71bff757457ae13f1

SHA1
1cffab84a848c8553b45876e76787884ef87bdac

SHA256
b34bde3f9e5c603809f928be4909cab0397fa65922292651d792c2541505cd97

SHA512
d7c52345623cb9a922f2c7ccadaff079d8a3073ebb39caaea5837d6a696e18b45d59e02a6a5b7b45072cccaf2b40a9ca1efed8e5b77e9592f3bcedad9425f539

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
61d77030a66513e42f0cf2b8b279e73d

SHA1
e63e4812a5ba76c224f4ae9f02889f82c9325ea0

SHA256
f1d546a8318569f5de0acda06194ce8cbe3b077c70a813b9e8403cbb14cc46d5

SHA512
3a7a39308c6d266574886ec978ae56670bba1ec0dba59af0a1cc247164e2e02e8d17710f9e4832652eb046f09cd6c086a8ad7871dda19eb3788996fbd4549f85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
376684d5b7c76dce861e330ad304fce5

SHA1
66d14b970c931890e1b215a219b4d67221dceaf2

SHA256
52a98e41614dca7b74d62b6e8b70f8676f8f6de0aaa60a113b2a72311015afc1

SHA512
8caee37bc9f5bf9cc16dcad3ac9a55690cc2a40c1ff2c645c51b07b9622bd98623744b377d6b13fb51082ae45be10c33db2d593775013e50779f6df6c566e55d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7964d51fc1be63272bc20933d162a1f8

SHA1
11a1e45e7278e2d67df7f7e2f1abaf90c726441c

SHA256
23522aa7110cec3e1b8877f1cb4c3c2b7bdb3d1c7f96cc4782b4ec8622f86e91

SHA512
3cf69ac64f150cda2c908fc83ed6499b67440a6bc815ece6b74a34ece793823fa37b28f17751a6b269848b13e2c12ef475d590fc2453f03634bc9dbd50852cb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
24dd87ccaad976a21f0e0e5c07e792f3

SHA1
1d4232731a325221856fc8e4de49c72cb33dd21e

SHA256
4aea807880aebbf4308a6760b909dac699ffb243fde2c0707c4b94cbf05ae3ac

SHA512
3b75fc24f491bfdf425e8759bceb3d159b2c5391c5ab8c92e6bc18a9bf821c110712e1c8bca943b41ea720e3cf8a0c069cf7ffcce397c8c5448d084428fe1b5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
66e88c4a67bff71053660cf1835a1615

SHA1
c23d244882380c02715dc4f665bbfb568a74cccb

SHA256
ce0d33fece8bfbeacc9d1a9bbc419823c86cc2e9e2ab105603a382a3ce0c432e

SHA512
e66a7e75ee13c81c48a9f9abc8ef11f1503433287c6118779c368e8b2f4722b52aa9cbe164532311de5b2f8123f7b92929211f5dc50755b5918aea363070b393

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0f8882f758c00630de7f080f3d0a60ea

SHA1
7f19d727f41da02a44fbbd51553eb58e8b682f03

SHA256
84b4a84db380ac4c76335d11cd3fa1636174364e95009d101f857f84c0697f90

SHA512
48485faa258af4e7de39f8b746afa986f7e7975f4e59030bc11ce53930bdfd839b7a69636fdfb3b271cff232c4f2c0efab025c593cdc3b2d6ae9acdab38edf94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
86b019b17f154c81996cc88b6c4f6e3f

SHA1
04be823cd3414c3dca2069012dd36e5626354e63

SHA256
4644d3dc31af660c16d89c1108f4218fc1de3eb5291b638134f3b749c202cfd1

SHA512
bb9a914001a35df6c25f9ae1c4c95ecb1e9247795f2829c6a1e2e6a480d5f101779c80f6cf871bf0dbf18d68b58ee7f882f37d4f3ec24b80ee41a4a10d1d0e5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
9ccdebb4c65e7344512a9e7a07389dcd

SHA1
1468764fa6e9485bf9881ec552873cf5bcdcd03f

SHA256
26baa04ed2e3a98b25ff9535ead0ec475894be71ed77677558f10f362140c34e

SHA512
75d3917838cacabbe88e953bb181d87cc97e9bd38bb9bec1c6394d565228edbc709d74faeccbb2233f0d91479e417f68a1004ae2ca0c6192b8e3595213bc8e1d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b0873add7653bedf98ae7a15aae2d7ff

SHA1
6c9a01495a13eb26f7f358cda6548ef0ed020a8d

SHA256
dd88a56b8de8216ddd22fde8dae52b9c49213eca5736b475fd147a7332f572cc

SHA512
efb9c385f72472c3008afbe8c0d074ab3c431a0aa217e967b27b53575eb1ce05accff48689baf08e73c4a9d6687376071a372ed8e3d920c84c87c0f503987dd3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
531096d0d54aa4ab065f1999472e1698

SHA1
deb0dacecdd1c55ab3343af2d57bad28099f0398

SHA256
5a598dc6fe927efcdc84479ced54a4ac619c28d95c31a4af469853d3e172e23b

SHA512
cf4f34f7c10b531613eeeac0aab01352e87cb05d32a5ed1d76e15322e142c747132ee0cb7c44c18cce8016ed8337f4fec7a42d5574f5443c07ed683d0524d499

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
95d348e4d7ac96c972d00a2b04dd67bf

SHA1
2d5d71e7030c5ae2b7593dde1612a6777df8bb2d

SHA256
206c90ae3a4369b8073fc68940a95210a16074766956fd90a9f90cb46508369a

SHA512
8797cacb646bed058cc586fa811e606f2e28c7c7f66671d01cc9c104aeb0f571e103c801690892a8a93d38cb9bc6fabc880bc4e6950995fb2eea1094017ead65

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b888cefe26835931712492b966012c5e

SHA1
425cb3cca268a8cbadc77383986a79fabd4fa4f7

SHA256
de287f4e6d6fdd5c571beff790f306f2fc69f5f23601f8826f0673a55d5bdd73

SHA512
358de5499db2e4709a58a234cced7a1c78b600b6e3100ad88077b1295c5d42f467388cb237133989cc16a9f6d98788e02ed223f33d8defead0a7457837684b1a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d9bc253a1d13990c52e1b16cd101ba4c

SHA1
ba82228ce6b8245e7516624fe8e0042f9d586817

SHA256
19ad0773f7418fbcad8efcdbe0bbbf7b6fe3e0a75c149fee66a854a76dac4b9c

SHA512
12c504e78f09be6a380b9c8c1c47454ec6e93585dc9bfcc64460f528968c8ad85521ffb1ae80d4b41511ac5876638e51514318c00a67f19c35eb07adfa959c18

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
68cd6e07bf9bf2fa062f4306f1c132db

SHA1
6e337a60da5f5aa0c2160c70816d431ea275349f

SHA256
d957c7aaa1c2bf0dd8256fef84824d4aece51682dbd9b44c11cdb9885d6bbaf2

SHA512
0e88651dc447c986afcf53a9610162402d230755de197c6e096a31c764115f6d90ac3766560e449bf5599a3a6635a176d3c9ab75206528b5cb1a01be0271f9cc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f2f12c0212669d487755f99c5f749d85

SHA1
a484f830a7bbf2da2f6b83ed47541c998e962b24

SHA256
4746627a65dd6611150ba8849383a27ca981071d70901cfd977d0c6fa2cdaa8a

SHA512
7ad8ed423f8a2d53e2e2fb3e9f2beacb17ac12b686f0eccd5ae76f724a15982dd239d70770a049e80422cdd3a5d884dcc83bc3c192b8245ee9daa72f134fb646

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2d8463e17cb7a5f976343a09f26937f0

SHA1
7824c0c62c95048f2e4cf1dcb709a1ecee555d7c

SHA256
3204eac225092c8638046877c9430b0dc859b10d73a03f89d6a1682f1e1d24aa

SHA512
c8f79e5e603780a009289aadc0e0b954f80dcff4b513199e8531e8e3fbb91e8265c8d24e95995346e5f219526ffc45e6eacb309e442f2b41cf832aa19f726445

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
8e1a43c1ad8886d390d9ac038183915e

SHA1
18f28a6b7dc3c0fe0c665ba5c1b9187f64a7974a

SHA256
7782c7b8a98be63f4e8b51c73de43d7392123d08b7035844f42494c481a3d796

SHA512
8cadc8e94cc499dd3f7b1183a7ac5c814b011d8da9ede464c3f69c7585cf2d5ff4b946cdcffdda508ed47523ec846e540fe12e0d990a6c00356d4926e178390e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0e3979d94071165e70d5372eefc90c76

SHA1
e8ffb18a1e24c57364d52017fe50d9f97919ce53

SHA256
34fdd3399303e8f9cd71daa145b960a649631b7c83ccccd3ee951063c891b7e3

SHA512
c36d6ba204b8a5b65e3451f8d613227a006e14a22b914bb2fc03cbc5f3aa43b7e92ecf040353b51e12becf0b0ca24616232f11901df276e77b73c2d67c6f7577

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6eefdfea43013472aba185663d222472

SHA1
684c8e62bce4d66a33a617a46b0b2b0b66b10e08

SHA256
36bda9eba2571c2d3ba401aecc6e7666716c486713946594fe73d614d9d74885

SHA512
b560094f445db25abd3f55d85a606fdb1912aef6d7a4aaa83faa8094176fc30aabe980e030c575b5771cb9cc67679053a5108be7d1502854c3bb02953028ca36

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6b0a04d1d3021ec1f52569d4da4d9197

SHA1
557796cbd1dbea81b00136e955a3fe4153f6239e

SHA256
a00148657386a2ad440f20002458ba017d188b91ff390bd80641b3d4d7f4078f

SHA512
d00fec03fe9f381ac0d010ba1396e9ed5ddfd55af32a557d9464e8cad07f64aec681a7e216f5c3756701153a28712bf32c39f6dc662060f086a9d7aeda049302

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
063647127a17e8f3d8d48453608f00e3

SHA1
3a597ee9d0a6574176feac642510c70026373160

SHA256
02f17bc16766aaee2e0e2f5e430951c5862355b8e2cde22aea5132f328959c0f

SHA512
4c911dd656bcad4bfac9dba37a69fcb1d88ce454ab0d9821ad6be8ab7d995504344c995675a175222f761aec2196a378474d6da20ecb0c51c0779a0dccbad62d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
505b3d722ff07bdfcf703b5e8af6dd2f

SHA1
e12fdd2e20f2699c618d1d3eda016a6cd8a6d493

SHA256
6bbd784650dab49527670a644b89c78a88604b55e3229b455b945a8bebf6f693

SHA512
5fe3cb3029ba1c31ef169fb71e412350f56f348721ddfd2af1d0c96d01d4076783fcfbf3c12d62a9923fc6b8a49620fd3f565d98d239e66e947158ed24683130

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e31a9891a98b82792412eda5cd26f713

SHA1
cb752d22cf58a6efcae1b61995d3a7f9e8747811

SHA256
a58684908016de71c54c512f051baf1b6ac44d5f934906fd90d683a7d87641e4

SHA512
52aa22dd1938e549c05b30e5fee06d217fb073951a93d8087da0d7f23eadd6e2609a8c28e486df40a7c9f590070be12f8d7d1441c7346147a89c670b208addbc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d3a3484b352d71365adb07921c284405

SHA1
087a0de0d96b21f50475d0bb99c5c158d8b0b807

SHA256
5d64da1e79501819d1c3a8bba87e947c1dba307bc12e39d59b964606dd2d1785

SHA512
caef6234677050e402693026f9ae2083bac63775ed34a4d06f70541e6aec6bd87922fe0d73ac504ed1b8f941bbf8cbfc42095288bcad74b98e08050bda748fcb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6d05abdeb5e6ca7da49ab0f4ea64342a

SHA1
d7144baca22cd250e12b73c0d8dc26b601dbc644

SHA256
9df8a0a67d02e2ba012d96a84499de39662eb6bfdc3b72e683f6df64c968b54f

SHA512
cce36f2b9b5a0cf5f228f5137754f9437f27ae24bc7cee0673bcb85ac513ea575d3e8901c84ae03ca902f1465b27827519c0bea6bcc33ed3e48afc7512d0d722

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d0b1ed555eb5db9ec7c22eecfd05fb5b

SHA1
e00f9ea132b4f6387db23120be84e2ff428da6fe

SHA256
60e37162ceac8a652e6d8360d57498223d25ba2f14fa638dabdb8d583752e056

SHA512
ad952380290098151cd14d3ba36461a0bb72bcda38aa6bb3ad38e2e37f343e35741b4174fe6b57f394520ddca2a46aa9dccc6827881542276ac77e978b78ce7b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6fba2e2c5c891adb34f6df81e3c5475f

SHA1
1c3d5ad27b8f64f870620d8cadb8c9247f375eae

SHA256
9744bf2530ffe1d4ba4321ffb4441de7fae7952a6590cde6cfcb3bc2c0602738

SHA512
50fbaa9554cf330817db5156c0c6dc102fef278829075e2081825b9b81cc680cdf5c7f3dad99d6c661a0af07654d7e7ac6058dfc70b4730b39a0c089ac83a849

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
610e4c682631c097f430e1d5c9b44e40

SHA1
134725075de3ad996b50f0fe2b91c88d2b8024c0

SHA256
064724f857ac82a78117d528db4c00406bad4a3627210ead39ed260108c0f2bf

SHA512
8316909a0eba8dd7ac3cc920704f0227101fca3dab72127a57bdf5fe0540465f6562c7e7c357a6d3765a985610c1424f8f8fdd8c051ccc12acec2b3549a6e8a7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f34aaa8bdab5276b75817eb56bad4dca

SHA1
d40f13b92e5e3bfda765c5dea86c2c69c642999e

SHA256
86d35f897a019b1a9c8bb0dd851218cd552dc6c69b211eb82c76191457426766

SHA512
cc58488df683859b0839014b2920c9031ccd3b481925f7963a698e11166e3d4ec6a24b507859fb776bde4c0235111d8f1855e157578c1a45b2245e92964c42e7

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e23b690151b50b6b630e5dcd1d3a0b8c

SHA1
b9a18151d0fb87f54c619e3cbc54e886673d5a10

SHA256
a2d4dba4d6ca03dcae6eb9f528c36996aa2fc5f2fef22c10cf32e4accfd42d2a

SHA512
9abab1129afefdc0fd00dade7643bf28b5e3e32802696b11c29bb806048657dbd9504e9547df11be4dfae3cf2f7a65d4571fee44a432f900ffd23a6012a3fc7e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a21dde6337c5bb8a660da602d9d1288e

SHA1
ad7864ac5b9d920b0b7df5f7f4d4f01e527cb5ee

SHA256
fadc5f995a3d4b472829c355b80755a8e36445ef9b6ca47abb2fd928433d16d3

SHA512
eb4b79d5c797d91d997e14a3f59a530c2562da3ac05c024b857f76bbc91042c94b74b58191a11aaa7f33d1d2a7deb2f322dd1106ecb1a742837027f4327912fc

Download Submit
memory/8-269-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/8-784-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/448-342-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/448-134-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/448-147-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/448-128-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/524-113-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/524-155-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/524-105-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/524-112-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/524-156-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/524-111-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/696-265-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/876-264-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1608-792-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1608-321-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1820-266-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1864-308-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1864-789-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1916-785-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1916-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1936-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1936-1-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/1936-596-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1936-6-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/1936-282-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2020-168-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2020-158-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/2292-271-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3188-668-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3188-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3252-791-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3556-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3556-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3556-306-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3556-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3604-125-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3604-117-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3604-341-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3604-123-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3944-268-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4072-786-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4072-287-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4280-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4280-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4280-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4336-263-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4340-270-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4460-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4460-793-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4464-152-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4464-150-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4464-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4464-144-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4464-138-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download