63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
24/06/2024, 22:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
Size

1.3MB
MD5

fbf71efb1a2a8bdce9c040ee17ead291
SHA1

59827d2bb0e994450d033e69f4499fe833a4a609
SHA256

63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583
SHA512

17e727075345b51db2a4d9518415428c7bf306b4d423458fed0e1aa8a16ef482c00b9bfd20aaf0be9d470b2b795e97cff4ebfba1cfd09467b55f945cad3a9784
SSDEEP

24576:k4oTPkCgwCbae/Fk6OvgcObl0fitGbna8FLk2m1X2D4brr:1oTcwSFkeHblI7a8K2mFhbrr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3236	alg.exe
1520	DiagnosticsHub.StandardCollector.Service.exe
1892	fxssvc.exe
888	elevation_service.exe
2924	elevation_service.exe
4932	maintenanceservice.exe
3808	msdtc.exe
4380	OSE.EXE
1064	PerceptionSimulationService.exe
3376	perfhost.exe
5024	locator.exe
1500	SensorDataService.exe
3084	snmptrap.exe
2224	spectrum.exe
2376	ssh-agent.exe
4028	TieringEngineService.exe
4436	AgentService.exe
3144	vds.exe
3344	vssvc.exe
4256	wbengine.exe
3672	WmiApSrv.exe
3964	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b90275a7b3b9834c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\System32\vds.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\AgentService.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\vssvc.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\spectrum.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\System32\msdtc.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\system32\wbengine.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\System32\alg.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_93546\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4a2776183c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003158d16283c6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008340756183c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d2ca06183c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d57966483c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bf0a46183c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000098f836183c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001248456483c6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1520	DiagnosticsHub.StandardCollector.Service.exe
1520	DiagnosticsHub.StandardCollector.Service.exe
1520	DiagnosticsHub.StandardCollector.Service.exe
1520	DiagnosticsHub.StandardCollector.Service.exe
1520	DiagnosticsHub.StandardCollector.Service.exe
1520	DiagnosticsHub.StandardCollector.Service.exe
1520	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	836	63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
Token: SeAuditPrivilege	1892	fxssvc.exe
Token: SeRestorePrivilege	4028	TieringEngineService.exe
Token: SeManageVolumePrivilege	4028	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4436	AgentService.exe
Token: SeBackupPrivilege	3344	vssvc.exe
Token: SeRestorePrivilege	3344	vssvc.exe
Token: SeAuditPrivilege	3344	vssvc.exe
Token: SeBackupPrivilege	4256	wbengine.exe
Token: SeRestorePrivilege	4256	wbengine.exe
Token: SeSecurityPrivilege	4256	wbengine.exe
Token: 33	3964	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3964	SearchIndexer.exe
Token: SeDebugPrivilege	3236	alg.exe
Token: SeDebugPrivilege	3236	alg.exe
Token: SeDebugPrivilege	3236	alg.exe
Token: SeDebugPrivilege	1520	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 4860	3964	SearchIndexer.exe	115
PID 3964 wrote to memory of 4860	3964	SearchIndexer.exe	115
PID 3964 wrote to memory of 2916	3964	SearchIndexer.exe	116
PID 3964 wrote to memory of 2916	3964	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe
"C:\Users\Admin\AppData\Local\Temp\63810a2afbe78c5a44efd1566df113d55d0c41556fa5ae0a9c7faeed35362583.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3912

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2924

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3808

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3376

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2224

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4332

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3672

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4860
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b0a1c18f02611364db2f2ea8c56854e2

SHA1
f6641a337cf7fc566f23f538123abca0e0d8f229

SHA256
cb7e190adca1639a3b505cdee1d8204de413b58a1734575fd0efc8c80a3b77d5

SHA512
ca0dd6eb810c61acc48c4514d581b9fe1f920db5bc925804297b768aa498fddd86eabca703d4937305ca4c16060d129629708777719e7bf1a9aac763902977b3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
c87ccd35f523981960df87d10d13db6e

SHA1
c49c8ab54cf6e4fff54a77b3dbd39ee252fe1616

SHA256
e615af6041a904f8e28aab53813ba6413a85cb3655b1f6089e542eef8fbe566e

SHA512
4f27edcabebce6e3c693beb90ab2bb3139e7414b55935129ab6670390017e121e500b2d874ace01777ff7c22447ed7e388a2a23cb218f9979f11caa1d0f83760

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1faacd77daaff341c0442414d78b8d15

SHA1
95800a1c277df6f99edca43e92afc54f8ebefcda

SHA256
49631feaa323c9a1a53222cbdb5ce011aef70407efe45ab3efa0d4ccf00940c3

SHA512
e170f8e7f158199c4f996853029d29954e5a8cca8eb6b0c8c36d430fa9f55396d91ce62a90ae0a8576f5948a672fffa0bbf88e3b423b7234861f09c0c9d91d58

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
187816eff33675585e8604df85b9aafd

SHA1
5dfce6a32ceb0dcb8f22c73975b5dc5f4d57f11f

SHA256
f49041237e07cc3951c8e876320e4c80910d59ef127611bb85edfa7a32a46c4a

SHA512
a4ee67569218b76cd84d4d8a0f18397c7bef32dd0a568c2981c676ff48cb1aa016f3ad6c02015ab6e811197c58e43ae563237760faba340abe8c720492eb8407

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3f69dc5487cd6fafed0a33250cdbd99d

SHA1
ad003726822bac62c6ef45e1f7838ebe42f3d3c6

SHA256
5bde9e84c171990f5480675e83b017b791159041f578a5763064c1718c49405a

SHA512
cac8759a645a2403081010a6400dbc250d21920dc4bc9310231d3102f194de329b26cf362b1e82dcc0078797e4fa2e510f5cd2aa8a82e6b9e60ed9aa2d7b9f5f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
b8266d7682034b3afa53912e24a89828

SHA1
09acfc53ef53f3f05c2c87836576089cb4c6c0f4

SHA256
745f12e07de89d456e8aa8e599a82982dd1bf493b6ad1b1208ad0a2e62f91072

SHA512
5dd674f84c37fc5eefff0c90068ac33c63c33d56eacaff19c07b0a8d7dd879839921f09e5f45d7af51c90956e1648c3b212314f88fc440abc31f9d9bb1871634

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
477285591359b6b8ebd0341d8a74a722

SHA1
388b8481fe7521d3c9443aa2f93cd8f00c4b0577

SHA256
4815a9329d4af52391da05be445922cc3b2e06776c87c5b5f27efe0ddd64310a

SHA512
928bfd96946222db8cb460b20bb949125a40514393340d21672e99d78b000040031c37ce971dfe44b8943964a3b80f8a523f8f42dcf72a6b3f16767b1c3254f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cec6b786206b452bebaa622e27b179fc

SHA1
6da7c416b3c7135512aaae4cb5c54871db55dd8c

SHA256
0b507599f027ae7be6781a0857d8d6c9e6b4651a5c389dce51e2449070b9f11f

SHA512
f08e3e4ce38efa78c4afc1257f4a405c4cbe03924f0bb6b419931517ca2abd4d5eedc2c703bbf877803e68905d7f6f193f4a7c2ef27c746374a045adf4a20083

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
63e76ea3a6a0ffccdd3fb01a840c29a8

SHA1
a3c72d47936a75868f5cb5b820c463372aaa7b06

SHA256
913a35b4ff79d43b6fc53d7e40867fc6febd8477889a71fad4e09e4645ab8880

SHA512
0310702828e2136682a6b0adf9b31c3cc57d9be9828797740633c55883e0b2590b75321641e7cd35157f2984a427017adaf65a9d0992dc851bbdddc4ac50142a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8081010428a3e17e01a936364068ea9f

SHA1
1a73f6a5eea871c305ef102b99276c062726ee7e

SHA256
37e4a572d0b60510b0e39dbc011be922a1eef203eeecd241ac1e43021cde45bb

SHA512
9f810978786473ac9bf43ec8c1f9c71ea53b6b60b8eb14e57f9ec3bbb1c4c1df7c641d348b72d81d0ea83de7cc3d6a609b7ccf0a8e86f7ddd72adc69a06c59be

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
671f5ccae9beb1d24a05fae0f89d3bf4

SHA1
d96b72b8b9d1bb34ca6d3aff093cc735e27d8a0a

SHA256
b1e123273abb45d1894db49a9885116d3612e27d28449ff041135cedbdf27bd4

SHA512
826954e74206c4e0d1dd2523cbbf91d656fab21bbb99948a8d9aa08ebfcdfc41dc08a1496cab4c6ca15772470c25865ef2f8447d5152fab85f59a242ae88f754

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
73774b22b3776c32cfe928a29655e83c

SHA1
fd5e4ddbfb142e9f1a464f8a4d2f5ecca6af7c65

SHA256
88f64d2009f5f92686f01844bebeaaaa8876181e790cc95d73b3fa2cc16baba4

SHA512
f3636ccf6edb11ad6b460004ed87652b6026db970675e4fa0c106349c5c25b5e1e1158d2edce30f18caf53a810f4bf239d9d53d7e83c78d6dcaa18b74f1cd976

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
c9d49c933a5197f0d518d12d03a7a346

SHA1
8e260b28483f6ae0fa10709781ff98371dff02bb

SHA256
69b941a78bba1a730e30b0a7b9c63d2431f7ca93cdad0250bf28e9819f17c9b5

SHA512
2acffa1ddb27193869c9952d0eac56c4c70aca28a398da011042ce2aeb64680ff103942dcaeca17d2c08dd722c08f047909bfd674bb12527ac9a407df5624682

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
bcbdb191ea018ab48279ce5ce9360c48

SHA1
b1a1505ecbf3f8029e9b5d1dd742f4ea5934fe1e

SHA256
c3b98b05f4bf07abace561886add42b882f07968e4eb17094ad40d57f488017d

SHA512
57da9cbfbf6cc63d9aeddbf97c245894258afa9a5a3327f1cda2ffa587bd9c00d0e52270e6bf56e2e960a2874193fe323349df93bfa911c98fba87bc5368fabd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e56143b9525e412556d25f3b002afd66

SHA1
b6fe5eb2838354072d6cf8025ff745633db45458

SHA256
3f06cd3d2d33bfbde6d9db2786ab55c35671ca51734e1c9b503a6748910c5a30

SHA512
832dcd12db6a23e4d8ce750c52584b571c7a4bb394658f4f04828aaca08483f3a5f5a9b9e00f3291ba51c4be6f118edd0a2d579e88d31e7ef6e4bd709460761a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e016aff2ab60b34b6852aae9641b2144

SHA1
655fc9ffdb03599064cdc7f85953f01b5615d953

SHA256
b622622f3f08db0d56263914817e94a65df553de14c009cea5275f0c98336cbd

SHA512
73a50b8b9aadb28a433598727989fd3acb39e905a5f8a94e5c340d9b545769f59628c13a9d02617822d25119ef059cd16745c85951ce53aaad05c280450241e4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ff0d18bdbf367aeb37f683149e4c93fc

SHA1
2245c8440fcbb9b6ba538f52d863601009d00350

SHA256
b8e8766e2b8f1916ed3edc61e5638a2ce96f121ec36ca3401a9dc27d993419f3

SHA512
b9415a6bebdcdbd46da4629830dd93ba1489aab9f77c26b16868e95a59f5f8ba35c60de67a8eb67db4c453a64e59fa1f89b430da29f8578922c57b0e1abcc7cc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
76ff0d8f46056dbbe99ff20b71f3a676

SHA1
c15d8c874f0bdc01951e84a914f1c731053ee730

SHA256
0ec47e97fc385f2afa1d981d3f0df9f840f45244838114eb2a339b9fba929dcf

SHA512
95abe1cbf6e8e75ecabfd1417023d7b10f3388dd5423e328e36d782f5ecc2bdb5f5a64d8da36d92bc94e620cea61a651f0b18e8b414aa43b129a732dfd396831

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7b187a63b13c2b7896a659b10bfaf0f6

SHA1
fb1d5f47fc384e9c322f8b4aea06e10432e352fb

SHA256
25476c8c3a4a7a7582dcb0c8e4880e94bbdfeaf7a77487846dbff9166746ee4b

SHA512
8afffcb622d642bdd17fc3f33c999d16ad3b60150962c30098faef37f9c7bda71897915f9df2e24cd937fd9453a3ff25a91526c1a0f35e389a7972c780e04065

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
fef31b8f0d013e9ba15adaf5e816f9d0

SHA1
7d1836e04e5e2d999bda3858013fcab0c39576d8

SHA256
7fe903296d6f3ad6f7bbf2b0bf5f96cbfd1207af6460e2d60186c1d92366f7b6

SHA512
fa5edbf7d2d6054df494d698bfb307b705c57dcc4cff0a03b984aa0acd122d8a8b588c7660dc1b86375f2795dc148e5feba20581ebe51d120dfc788e08c59510

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e74e4cdc1593e19439f83b01ae476cc2

SHA1
a9d34a101665139dfcfe4bb7ab01719789bf01fd

SHA256
ba4a5870c39c127b692bf6690ebec6ef54a0911f7da6fbcb7d9e05786bb2d3b3

SHA512
3ef16244c784f2f3169750f594ef68c1340c4abc7ba493b7800df9543682faa6e3a6f1e8f1ad34c9b91109436ad8caebb93e30609f8eaa810c69a1cbc9aa17c3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
87aeb63ed76c4b9fe818857e4a49aee8

SHA1
d438668ec913bc12f9bdfdf06bad6f31327a0936

SHA256
8749cc87f40a3ae3873d0e9e918c232e7ff516e85548743950339b8033ba43bc

SHA512
266d75fe6f8b547aea9d07f28f4748f30f3cf04c77c0b6c2cc89bc8c8d2b3ba3c574ef829637f5b8ac95e934f4bdbd8a3f95f1ada8ec075b93fd3857b191dc09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
43fb280a2a3b7d2f539218dd1f8ed1ee

SHA1
20455b6bb05be4fa4f51a5840f60968ec691e8cd

SHA256
4f73ec0e80701e6fda8edf46c57e4640f2b73cb8ef90131e99f79851d2887f1f

SHA512
0a54f948b9b61ce72209924d4f17f9a3d73cf870c93c97cb0099f957964498187b8ab82adef9a5413a38eb55313af112c9080d6b8f5be43958b3d02e41af2b8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b0c78218a525ca848cd89455fbc5c8a7

SHA1
822c1fa5d831b51a13750f5dd931d3117357ae50

SHA256
aac1201338e3553dfa84a716879f5326a1c4257f766ce6ea3cef9980bd47bbbf

SHA512
fe08135731f697ed11a6e510933f4b8e86fe17bee3e954bcec6a2801722a4c582c9d04489d7f92c2e016a11c9b7154677c6087148477410ca9bd082b6ad7fe4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8e8d14c330c3385985ffad50cfdd39fe

SHA1
c594ee4c19bdde2758d9c66b1ffb66de00a9a314

SHA256
ce0312341f172c12e01c6b7318c2527aa712262f93ea8d1fa436996c8a3a6abb

SHA512
4a17efe4ae0f70e6003c046064148cf75871461538effc49366cf7e9de3777131a7d65a87be69fa04d1661bcfd11fd4711261d89ff291fd10aaf155fd412ae6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d8b8f40fb7878fdddc5b65db2ad07b30

SHA1
558953280fc2a3399a91358feacb049fc4e2020b

SHA256
8c916da7641bba2f2b607b119a6ea219db6b049864551741716a66cc4fd62074

SHA512
e5aed7c2b7abbd6f69d76f71d0b84e0393282c75328c05de4f87d4b0d9618559029900aade809af09ed84f746b40d4cc5fbe5cf7cf689fc87a8c768bd21771ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
61cb00057eed4f847aa3657186f33fcf

SHA1
3090679db51492e9539cd47ff32654f36b5675f9

SHA256
498269478b01925b42d364a40aa04bb6e51257d2674be9d62db226891a821b46

SHA512
de12374ccc328441fff4d9218d2f01dccadba8cad6440b349f16ff5b8dd82a216b6947c22e856efb9c4ad146e7decd26d0d5c049f06993890fa55a35208be308

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7dbbb8c56552bb915a44b383f35bd7ca

SHA1
e1ea22fc55adf9c5a8493a186fe18f5703d27344

SHA256
efa6cc0a10eab8b6223830d21c5296d24cc09588d28cb6802f4cf4d79f853c65

SHA512
ebf52ad43c1c602725d402337eb21ee88baa3fdbdcdb5384dba3190452c50e3259f4ade41d6a8a2507eac337ec3650a4398e12eb5d2b478d7cc88e272ce845cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fdb4cf3d44ed2c695b2b1372d26a55e4

SHA1
ce349435cce3919a52444d086788438e3e97b3fb

SHA256
71cc509e15e150a406b106c69f31233bab581adb47b0b044b69b3e6a78c1a4dc

SHA512
aa486a8753406abfb0ea4ce5968d1620f95e9fc81192e82778d87dd19ca798076b7ebb573f16ea1cd7f8ba1cb89c4a95646db9f02d43fa2ac0ad112f704e4656

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c3235293cb471a88aeb852e5c1908305

SHA1
11a81dc37e83949f4ecc0f070fb830a2b9f563bb

SHA256
3faa9045ce7b440b5b99c740fe0bf24a81118c15ddeff7c572051566fef440a0

SHA512
dc7b4858887bd01444b3aadfeced92bfcab30b729d63f5929debb619f9bebd5b246e3a2aa86a853518263ac819287f5fc8edfbc35ad233792f045e472ba478ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
cb244af2c39a058d37b17d288399b51f

SHA1
c60443f7bd7c9e8f71b11fff67ecdaedb75551eb

SHA256
2ae7f6774be7117cf308198a434e6eca52e8df3160936264c9dbca2c171dbe8a

SHA512
645fdd051dfdc85c754038d1a9c7186f8fe097288c350992efc67fd475dc8be87860b6597609cc18aebf1ed0c17dd10212f2c414fc6a65c1ba76a67aa593ba81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
599aa5edd6bab2cdc3cb277ce61f9168

SHA1
bea77873919b35108be16aebe93f2637a4493bf2

SHA256
10b50a5973fc31e8f56eb6282834a5065f9713e2cd6dce1d12f4bd7c26837c24

SHA512
8d8937dc3a3dff9e849a85c833f8b3b64752dc6dc512ea474f3f19ddd38acb6e8977a2db1fe5f33fba0aea137dae1ce36214a9e8f1463cce32149c91f0827fac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9448f457bdbbecf48a2f39078744a975

SHA1
7b90ac3f0a3be5e12bf7e86995d5118ffa9cb6bf

SHA256
e86b7ee0d158238f1dab70844002e47d6f52ac8a4b070d54399f4aad69d30058

SHA512
7e4fd1aff37d0ac167326fa67f5ae87c845b4c07f8ecdde18f0911f55d2471e74562ce67fa53145b149d2b8528e0e43e4b99a59c168b0c06c93adef79a35b1eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
16592d609f247e22147526f80ab28f24

SHA1
31e41d10eea9252aaec5a194d5726f0a054357d7

SHA256
b15e14fd2be2907e1e2d2836d4320dd45c53d25bd869009234f67635e0040e0e

SHA512
da08428f6a7d0951454318aa7b43caaa293c673627888e75be44f3c3b2c45000dd6695dd423563011e9f58d8b63c21827d889748bb262af49acfc8c3c6d9cf7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1264e2ffa8f1059598d8b74f58d0b912

SHA1
5af9d5a2be3e60f361425c0a5a6b3a27ef7de628

SHA256
c032b0ac2ad7409ff29cbb332637fa3a980e04daa26fc3078ea481461ec07e5e

SHA512
73e365f4a0d26f670f4581c98a4b97406ef1becad19225620bc5ced4732182c2e060a11ecdffdf874f35dde91b0350b6f9a3cfe4e092f4734a699fb458ec9153

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d1bb15b882d59aaaebcf207526faa7ef

SHA1
68c4770c17c2056ae7c96fa9710b54cb21acc14c

SHA256
6acea6f2f7a169d6fd44303af1c6d1d53366b864e3d21f65afa6e417e1fc4ea1

SHA512
5fba70779fa3d3fdd7c8c9e7a7732f5d669cced957f8632fa8cd4e652cf969a7464eb83ce8d4851ae33d057beda8b9b6f2670c0cee62fdf1ae57807c8b708a2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
98951697ad93af3baac2fec343f3d6b5

SHA1
8c022c5c7b9554513968c87b96a3f7c4424af65e

SHA256
110ad63696ba1f17b5e1f02068b6de78d676eb65a077ceb42a4f2b701a79d5e6

SHA512
69c6dba5266aa0bb4540d58e2ca40588bf6350ed49ed1d63d5db68dab91948a960ef1f1c5576f4422d777049fc62409a0db29c60c35db0a6a21d0d5925afd732

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
840adb4b1be771538d3f24885a7dc234

SHA1
e04dca7a480c267fb4bd6b6ed42d6845bdda3970

SHA256
fd5595a8552df8b1d43a7609bb6ce10a9c484a89d3615149328d4b8c5426f4ae

SHA512
be97babc1755b3f0f9bc5ff1d93fc4ed8ffaa125813ae2c65d6fac13c537e32f364bed687d9626aa078e5609b8294dd28dccaf986fa6a4ae0290eb94ed575e4a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
489dec25ff9b7aa3a451fcff1921ea5c

SHA1
29e40749418228b1e530050bb4c625f0f01b01d5

SHA256
235ba39c956be26b1896528566ede8e6d56faa57d68d05be195992fe96601af5

SHA512
931ec4287a6bc11993c60c91cc2ef1f89bd465469d0bf9e7aae10673c674d0c78d778c6ce74dc555e7eea1a957ff112a710470c958d1842e6e2409859bbf927d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c6e3c490ffcb6fd1c17dbde3a7458aba

SHA1
c56339d79d64a36aec187b8b4a6ab89a64e8af5e

SHA256
bf7f378b0128ad70353e64d025744ca46f8c79b183b28808b9e26feb36d2bc90

SHA512
2c07ffaaaf14eaa6482cd6eccd637fd4c1b07a94c7e7bc804f25deb328a202eb7ab9ffd2ef42f1562f0d13f55e10c3f79a1174e215601adcdb579a072cd833a1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
69ee38a434e96a23be2f159f714ecfe3

SHA1
f4eaacc2bbff26d6f52d8cc5493058e19360b40a

SHA256
f5b64a9dd44fd70b4a97fda0b1f21f10d40d0afb0efbb1fa9fd06a922a4db07a

SHA512
fa5e69a687df204f6ea18a74d9f081a3b5187de37ac4dbabde2fb1e6daa68c4ff3b978ed4095f1dee0a0e6ad21b825baeb4dae8fa87e022ab0759a34bb49e6c6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d010c8a4126edf67a86679b653f3cc68

SHA1
a9b958b4cd5c9c8de695597709254f9e00748d1b

SHA256
7f401992f11663babc18cccf26804c390389221c4762561c3842b478b86f7492

SHA512
eca2a1f6bbbb674eed3cd7b9d80282a45f80aa0ce9f17a9b01f5f1e0efe2d9ec918563318f357b3e77a25a957406d576114e61e3a57ae7f3c0f49f9225ab5ea3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ad2a2fac5216a9b440a3b04b939744cc

SHA1
a1bd851a105103f8614c0c7b5bf174dcee4cbc79

SHA256
6a06871ea8015b777d1ea71a48a0d900bf16baa3ea71e02647c2809f87516599

SHA512
ca18b5ed703d301b32175912d784d83ce855ad0723080b616d45bc188e93d34a22a69d2b702db745855187ec7ce30539ae6d74566b81a1f1694b4e5c1c82e033

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f932297d21f8095ed03bf55b7a79c491

SHA1
d15d099205544299d96047024a0e6e7f248cc5cc

SHA256
12ca8480914c85d59937a35ee10ca865c88236feb1cfd46a9c49611277db369b

SHA512
3dc55d67ccd06eab0b3651dc3bd772a2ec971b3baf5cec44165712382fefc6ae22555f7c15bc5cfb16ea93307415ebb5a7d26841513a7500371317e76dea0b81

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ddf06856d5262c83c6a99ca9690836d5

SHA1
529fb25a182bac271177babb404a421579a3b162

SHA256
7e7af66f9d714391633a6c3353d565f14b86429a597eba81acbdd66cea76bb86

SHA512
9be5304c9c66ebbb8ac6adaa7c316aca71b1e191ce10a033739d2fd73c0886417a509e75c4058c0477fe973a23a8541b2360d6c77c83ea4c07f03df46c73dda8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c999cd4e7b699cad1a9c0ebd35c7eb82

SHA1
31dffef7f57529e7695c7f4a5c1c4ac536bcd32d

SHA256
29e811a79157be2f846536396d91764e21eb18b0bdb2bc1e74e4c378d86a4803

SHA512
8474d5b98326094c669a9156d8b036ef551299d528dbeb3f1117b4480e926b9363a05077b455b92781455000a02557aeb63bd3318cfd27bd32dd0fd6ba19f37b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
48b40f5d65c48196d8da874c2f912a48

SHA1
0690fca6d555bd1a1528f30bc4e53deedf0ac558

SHA256
8ac5d401b7ca266ccd65a8897771d12cd0343065bb92a5100b50f725920b47bd

SHA512
d9d3e13b097c460b5332c7bbef319d3695d590a8db8565efade7c8eacdd84502805f5c0f97450393cdde3177cd510ae0a54bb87ccba225afcfc0d189b2d1b2e9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
fce3f91729d324e7de0d355ce6bec7f9

SHA1
33ad0b34378768a406f305461e204785b4be1f99

SHA256
7ab5ba0c10eb110b3a0ee958d8bc952a50029162c767aeaa2ac33987f5b0bb0a

SHA512
e66caacc0bfab146c3ea7c2abf6f3d07ebc736e68ff45498780c50cc858853f36ae2b78fcf122b1412a393139f0513bc9d78d7e8dc236363c035cd57cefc8106

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c2e8a205d4c49ecb90324780964f1935

SHA1
3b13a7c6417fdc88b60fc0b3f22f0b15f33673f6

SHA256
175acaf4858bc15cb2ae55424e63e2872ea256d7b2be94495836af198f1c8147

SHA512
38747095526db3c29a6fc9fc00cd4a93cc2a5c4ced4e83948be44db9b8b4f0804610c04bcadaec24a8de17fd3b4b92dda16a5ebe580c274ad4154f4b9566023f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
e12a88e5c47bbc077093c300ab76fd07

SHA1
b0d18790681e3257489f7bb44da9f94931f49c73

SHA256
2ca67ee0d11e36183b8c1447e35bd951db4a22a59d3999230251817515955b0c

SHA512
a760f8ba44b7fa5da27f5bfde784cd7a4b80dec9f8157adc2b95c7930714d00fe6b0ff123dfe02295b1ef504171ed7eb533750f77f99267cf0a6b908d429c1b1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a42b43bd9517ecf3d5c8942b9d494c09

SHA1
eb5c6702583de97554695640fdb382b43d7f01cd

SHA256
0799c948207dc14839b3651d3459aff8ef32589de025e16831c7ee2da3189b80

SHA512
4a068359d0a9c5fecde580da85143f9718b3700059321f8fbeb97ffb147ae259869ce1b47ef6be4ba1e017e3e13d12e33e782701e5242aa3443ec8eab89e9d1f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6e6ae087da6b79bd7727cdf94745518b

SHA1
a547d534681d41165956ec6208b6ff9372cb312f

SHA256
8ceab4d3fc2e57394ddb24913cbb09febaf24bb20d8ab27edcf9debda7c64883

SHA512
88b03dbaa25f0af94c7690db672decbee897a1963209790f7e11503a5ada7fe6400d867a9023f80a3e01bf89de4199d95b88dd263f96188a5630dac730b91ee1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cd633f769f22d8c3b4f73b05bd0e5850

SHA1
32027ba63cb04ef0b2f89f7e7ee2987fed456766

SHA256
0e28434ba11b78de14dd581de203d140d177bd3ef9f788a7368046ccfd9dc55d

SHA512
485c44fd72b2c0a468e0228b9dbf3f36109abb20722e6973108e2eb363a509ac5846dcff2c650c52368ccf533a59eb07d9e6984ded79eb537c32be395e0bbd3a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
beee5846fc647c18e2421df3d3558b81

SHA1
c515bda716d16b6f8fea93cdf7f8b1a84e47c9dd

SHA256
ec0f3c76c9b1ca2fdd2ae9a7de79b0dcbbf3df0b1e84de1bc08be1d1a199ec1f

SHA512
b1e00d9a1321a1db30eb2b6beeef43bb481720c6ece509cb76144a41e506f8c60512ad8f66312fab02eb8272199e6226c5a4502d38f548588d02396d5e5b3ac0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b4c8b1f742cab67294e74717d2415e6

SHA1
65ef77a6cd2fc28f6cff23af3c635c183afc8c03

SHA256
a8c9599a0b0825ab11d51c7b6b09bcc7a92e75adc644c9b8142c2f3b7bf32038

SHA512
f4210b088f48df483ba4c9179f3b8859ffea14206b11bdee70f58d24e99f6fd8239fc980449dcfc89f35e14a4c555341ad34006fa3cf23cfac75685590159da0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
73ee4d561ec446c70044d15801155761

SHA1
e6b296ee1acbabd1a057037cb42ff5482c5140a8

SHA256
4fbc37615d658641849c84edd6f5c969f08da43628d0a7f9d8a2937cd85f038e

SHA512
29c3e7d0accb38c822d795597dc88deed40068d6d4707f5a118b64d95bdb694923fd35fb9ecd2e312fd876e0764095db64b10380093f42706bb6ed8d240e5f5e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a7c491c9878ee0d6f47c480493f0b572

SHA1
e98c44715a2883dbaecead65d216761663150356

SHA256
00b146750f78fa29a37d03c8ff49f9cf3df5d6dc75f795afa81a5b8528abccb3

SHA512
cef7c48a0de631877f0a19c3b72b1dd48ef7aac51a515dad5aab4c88d74bfd8650403a4a8c3bce38e8d09062ba890e5593fd4fb0451290de3f8ee900474da8bd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5a762e44e816903167a28872f6d63e96

SHA1
b0e3da629c95f70cde72b7f8cffb9ec2a5f61048

SHA256
3bf341a63de061219387beb18fa67a46954937701896b43ae4376d545494153e

SHA512
13f172f2344895372c5ec219c2cd1ad95d74d4f6d4614dc9699b7953f8a8bccc784bd4a5f22645b7b7ad157717b557e644328c4a2157c8baae3130b9d234d687

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ca69b5d63cd3cfc65758d7dfe7a70d08

SHA1
89e37e8338a6ea78d6438a1d806ad3758e7f99fd

SHA256
ee3b75aa1cdb752a2cd6816693028bf999bff72868a5ffb7b90103ba5a6eba42

SHA512
ef2233e46c46503e97c32a5aba241f6211ff4caeed0d9de8e5fa12fa29e6f666db33643354a862d8bbddffc757c00e7a22b5f272d9cc1362b9e1804f5393e8a8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
03d657bad5e8c9d7adfeb22736803e07

SHA1
6e5b8a3b530771b9417af8808bc46cf0fcc075a5

SHA256
43893493808cd05615328a06382f96ccb6b2889704f013edf1684dbe16d635c9

SHA512
f76e47ab6027bd1e7801157e040c7718fbd1998b640959cf614bf19a8b40f02731c18a7a17363ab2103f3287dade64c630f994cc9a43ed6f609bcafc3a7d2422

Download Submit
memory/836-453-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/836-86-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/836-0-0x0000000030000000-0x000000003015D000-memory.dmp

Filesize
1.4MB

Download
memory/836-6-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/836-1-0x0000000000A20000-0x0000000000A87000-memory.dmp

Filesize
412KB

Download
memory/888-48-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/888-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/888-54-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/888-166-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1064-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1064-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1500-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1500-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1500-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1520-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1520-32-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1520-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1520-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1520-139-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1892-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1892-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1892-38-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1892-44-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/1892-61-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/2224-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2224-532-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2376-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2376-648-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2924-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2924-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2924-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2924-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3084-443-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3084-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3144-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3144-651-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3236-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3236-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3236-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3236-122-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3344-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3344-652-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3376-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3376-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3672-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3672-657-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3808-87-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3808-210-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3808-93-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3808-95-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3964-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3964-658-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4028-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4028-650-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4256-656-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4256-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4380-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4380-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4436-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4436-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4932-80-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4932-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4932-74-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4932-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5024-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5024-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download