36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
Size

625KB
MD5

c2ec573fec94de1da32dd6b53c876304
SHA1

264ce8b88799c10f6882776648db1153074b9d30
SHA256

36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0
SHA512

48440efbca0bcf1149c05347d104ef1322d7d8268437f6ed23c5a6b62d8cf8406964325a1af92a74db4a02104c03669a48ff26dfaa421a89c0facebddb789170
SSDEEP

12288:w2LJNTpWSgN/wwRN0UL0G/TVOo3HC75nSE33b9YvFH:9TdCN/j2GLl3iFSE33b9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3924	alg.exe
3056	DiagnosticsHub.StandardCollector.Service.exe
1880	fxssvc.exe
3732	elevation_service.exe
1104	elevation_service.exe
3940	maintenanceservice.exe
4576	msdtc.exe
768	OSE.EXE
592	PerceptionSimulationService.exe
1148	perfhost.exe
1404	locator.exe
4948	SensorDataService.exe
2844	snmptrap.exe
2132	spectrum.exe
3832	ssh-agent.exe
2212	TieringEngineService.exe
4996	AgentService.exe
2092	vds.exe
1348	vssvc.exe
4168	wbengine.exe
992	WmiApSrv.exe
3020	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\locator.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\System32\vds.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\864ed1cb6c5b9070.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dd88d920ed3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040df98930ed3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7e7de920ed3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065ba53930ed3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b71289920ed3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000844f65920ed3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7e7de920ed3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099e9bf920ed3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3056	DiagnosticsHub.StandardCollector.Service.exe
3056	DiagnosticsHub.StandardCollector.Service.exe
3056	DiagnosticsHub.StandardCollector.Service.exe
3056	DiagnosticsHub.StandardCollector.Service.exe
3056	DiagnosticsHub.StandardCollector.Service.exe
3056	DiagnosticsHub.StandardCollector.Service.exe
3056	DiagnosticsHub.StandardCollector.Service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe
3732	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	512	36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
Token: SeAuditPrivilege	1880	fxssvc.exe
Token: SeRestorePrivilege	2212	TieringEngineService.exe
Token: SeManageVolumePrivilege	2212	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4996	AgentService.exe
Token: SeBackupPrivilege	1348	vssvc.exe
Token: SeRestorePrivilege	1348	vssvc.exe
Token: SeAuditPrivilege	1348	vssvc.exe
Token: SeBackupPrivilege	4168	wbengine.exe
Token: SeRestorePrivilege	4168	wbengine.exe
Token: SeSecurityPrivilege	4168	wbengine.exe
Token: 33	3020	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3020	SearchIndexer.exe
Token: SeDebugPrivilege	3056	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3732	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2180	3020	SearchIndexer.exe	112
PID 3020 wrote to memory of 2180	3020	SearchIndexer.exe	112
PID 3020 wrote to memory of 2752	3020	SearchIndexer.exe	113
PID 3020 wrote to memory of 2752	3020	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe
"C:\Users\Admin\AppData\Local\Temp\36e2d05295d045ead20a4cc7c22bb2a1fc18761535f8cb202c4327eed766c3b0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:592

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2132

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:856

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2092

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:992

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2180
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4b64e9059489e97b5de36e3ede43d301

SHA1
f3bd413f0675ae438f7fa9c2aebf0679ee069733

SHA256
8e90e9ac7960c4ead685f8720916dfeb9efe959b78688438cd217c7e72a4ea57

SHA512
4ac247c8c8fca2c409f41aa3a4250a4de939af6f95ca6e5624f6a13c54443ce9fb1e38aeea6c81a3099ed4d90927096770e02cdb4cce5de972ce538e0b23dd4d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
fd66f7bf44355422f819c731439dfe8b

SHA1
5e77deefa55d72a7911dac22d440c6376e459a86

SHA256
ebb7e2859bf146ce08315f766555cb5d13eee9cdf18c59ba31715d7983c86a9e

SHA512
0033becd9f3f0b1c0569e3d24d570be2483ae3758fa85efbedb3903e5e3ecea2ac3494bf33756a0cdf80e9f230c40e74d328b69dbf0b32787d8382ca52234a26

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f6fb065265a82b948115b0db387e7205

SHA1
bf27f17da6027eb39b0741990e640c9d93aa34f2

SHA256
8ddd9ad3b8a110b68c1ff2cda8f96cea34495e43f98edf3a3f6acf2cab0322c2

SHA512
92d65dab6c4e42f777acc1d29b5ff415c099ac2f52e231f780ea2dc6a420068edb5fb738ceb83663e7655e9b3844e8fdfe6d010553ebabdf3f3d50d81bf912c4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
82550ca01e0d43340f6573ebe335a93a

SHA1
28532d3ecc426e315496c885fc98439ad3736f6c

SHA256
4b32c130604e8fab3f2dd6002eaa385dfdb4871f39421d584e571ba901fb5922

SHA512
b894c1bfb7b8a0963c73888da6f8a305c990cd059fcdb9b30e249c3a7db8a65e9cc3453466dd66549cd5504ac1712ec8da4010ce6e7d0b2cac982442cb8e02f9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
15bb9eedf1b49b49e925e9673350f957

SHA1
4df21861322e54420fc6d7491ed2629d18aa92b8

SHA256
14146eaf2d96d2d9564225a00bb9e418039dff0f98c8524fb8989cba2405224d

SHA512
fe11c1f3a636acd34c0104b7806617cec3c1a8155d9c02ef966e524dbd5f40a1faefcf6e993b7165cbd175816aae309ee14871b1d155ae5f767e9bc30a46f80e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3288295e08719fe517bfdf3f12b93865

SHA1
8b43df4437e6421b1d4f562a79cd26a625783120

SHA256
c04f03d6d9c351e6188c7a1cef41177df65431986121dfed5d6402425b94490d

SHA512
00adeaf2cba938fed6d70683574d4c66e13da95521a1d515f9b7735f2ad510aaad9027c847b765cf211d83125db0c8c72ee020c266f6f87b999ba3362aa9a993

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2eb831c03033846cd145eadd9ba61661

SHA1
93ff8ea428df3373a0fbd48e58b7e1c350e6d34a

SHA256
642c05dd87348a5b8f2fba182181a8eff3652a950b4e7c434bd68ad493827208

SHA512
ce0c31f7bae7ac61c6fc9b0f93ae6267df1b37657438c024be35343e4f7a167283cc6275fb57f9c94a7d06c45f495ec5a8afa28afa4ae3cfb33d76a9c9db3072

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
afc96c4030275b7865863466b8ae99d2

SHA1
95910a01aa4dd7cedf6502dcd78c98f5cb889468

SHA256
94332b84d564d3cef80dd158f75feaaf898c028dacd820a058ce0844a523e6d8

SHA512
b4089375d46f7a29f604691543f109ef9d762751e1e67e2fa54838d42753e02dcf7eebad6ace4e1b4bb49d6bc819ab7bbbaea412924e7196576fe5422b91d9a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a708cd7969717b27ed8141b2a7ef1b23

SHA1
e288ef870db1ff1ea707c8f79d44fb3167e0d8a4

SHA256
995226356a4c76f76949ebeb4f1a003338a1372c9401ea0de5325c3b70a80f33

SHA512
9c1ae0f4a5d98efa9075b7406575e4d40d98b3c98ccc859b60b33ad5a1762ea0dc1748aeb1e489e3a2c1a82c861196bdc994015050e2277292f2151b871cfea6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f04d774a7ccf9bc4e22a0f0d290a6b6f

SHA1
9064f4b0acae512af286eabc67c4a26870d59d18

SHA256
5ca4b90d5ba06253e54525795e12012f91d419144f45de25f1c12f818e618934

SHA512
df660ac4a408e84cb376eb92f0dd622d51826e0b59727d79c1ee7a9f6079ef3ae3af164316ee6c9d71582d09006129ecef0b8e6bf6e2d4dfc695f1d9ede91113

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
36c8ff98167a6917e13b70c60ef6471a

SHA1
aa9bd714ac61bf5ecf5a7dab19fbeaf7d285a103

SHA256
bdde6159823a40de4514c38021a7e2e314bcd66c16b04a7e03f920496fa2b5a3

SHA512
3cbe2286104be6a6710bd5b758efa5b69e67c531505aa12ebd72db20c49b7c5907102e7cdf0933f3cd14dc0d5769f686a0625cbed6474c8d574b582ad1f19f1c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9a71fd03c2b53adf7764b8ceca36504b

SHA1
ee500ac308ca4b7c96cde8004fa7ad1161966d8c

SHA256
c81f376eb177b13913ebf48fc6a627e0bc00a91d3cdf43d3dd9d447d7912333a

SHA512
0f5d26dafa069d059504ec0b350070d6ad66a8493443863b6cc37ce4a74a618be71d31a24a2017b5c917b751c43fe9629488a6fa256dd53001ffa3184736773b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
efdf657d37d79ace0807fef1dc6e6389

SHA1
f05372bfb2207f884adb9c7ae7308a581b9d8e89

SHA256
25baf874ea0ecd764551ce537d6e5be06d979bf13563cff8d7587cf49e3e1c61

SHA512
52047d2ec8285a02f4305c5029e5c4efa5d89f655817a8462907461365fe96e9936d1757acb1dde178e6fb3b0a82793f4c4c752001e744d79e2ff389789f12ba

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
198598c67e0dc34b70b37479811a6a62

SHA1
32e849e6e4ae9935b4b0b7a8b0a52fdc3548380d

SHA256
ab20d4f9a57ca97c35584f9dc6962e0b3218895a2388723686cb46468e952815

SHA512
f4d979edb5a8255bb79144ebde37e34af399f39f41cd3bde3fcb1861a41682cf819eeb02a8f247e0812696b8a231fa9d4876e54595544f66a82473530b2ef4b5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4ef19590654d2628cdbf70a8dc1e9d97

SHA1
2d8e0f26f36775d3dc5b04d3c48e10fa2415d61c

SHA256
5af87b87cb0f1fcf867dbb549dc043dc6e53894a4cc9ba0b950831a8efdafd09

SHA512
e313eaa2bb6798e90a765e643eb28c9a2f35206d20c5188c20981f90bcb98fa0d251b0b85b06331028807fadc9d3d1dd01b8f943bbe6910219ea0185bb74886c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
76839c94743173b3c39077fa48bb3cb7

SHA1
0bab9855d3617134a23ad6b3e666b5e382981547

SHA256
a28a2572c0b29e503ef79a908b63ee5508bfb3eac5c7b835e5d861c27ca18c85

SHA512
c36d545a9a9d1626b3020d654383a2c8d6d361697fd12a275caef2aff9d16560b90e46d879b46e1e1f084e0caf079d562a57b6670af589c9d1dffe0b28289843

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3dfbb9bd93c6f186c75dfc9ed6cd0b28

SHA1
06e283230f407e9936a9d882444cb623a620111e

SHA256
4967e8050318e55d2f9568184c5e6e38c29a5682051edec69aa8575d3d85d411

SHA512
7899947eb2988ed06be234d08cecc7a2b2a4fbd3ae3263425ad4e7dab87167d908792dbb12a81b6e5e434c544037bab625376d6200a6e692533df01508c898c8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
739fa30f8e9af85c94a57a2b35a293b9

SHA1
df0a01735eeeab65719e46accc9303d00f4fe0dd

SHA256
307ebc0d53f57c31b89895eb2c4f598a2150157c03a6a7b24c808f746e50f218

SHA512
29c8eee123d1e699180407f5a3934a374d894c5fde447a0cc49774922810a9313811ec3890361d9dd236de554e2f6d8071e0b45b861efbc1a1a4b6a1ab20bbfd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
8e4b402adae9ccd6e408cc36a7128abd

SHA1
691e04576e47ac98beca49c3c0462317f286850c

SHA256
2d9fea5c4a04df313c76d5e1ee1baf936490ed3d6c8e01cdb71b27590e0cc6f3

SHA512
72f05df90b01077a7e6e848962b2d420cd5fbfd7b4d3d7d85fddacb79e8d94528f1b0065c17c6e4d98a3732d1a8a59b7dfa6c610eb65f958303ff4e10b541382

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ac3f4db26ffd6be8f1984820c9f1b0c9

SHA1
8a57985ce2e51148edceaaf6dd5c128c8b7e5628

SHA256
adf094170e7b1fac7e3f1c314a5aab322909e5302619652462627d51d821096f

SHA512
0f30addb0a985e64f06ee0585179e94c39a75ef8624b49dd45abf85cc4a139079441509a41c27f7d392c50e5f8235585238808f84d072487ef9d892b1b3cee1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
25c4c7e1f908b4e3ef8a0d8d9f204767

SHA1
feb414d3813ad30a1ea4de7ef00630f9402b29a4

SHA256
798fe95d66b5c9198c447da6b90595ba7843ddebf9c20da29373cf36b57ee26d

SHA512
b52b5839f9f32f49d1c0d3078db976be8681a2664b8da4ce277863659d73cbd6bf7e0039eaa059a631cb445262643830eb24f347c110d98a42af905663ddff87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
048adf625faf7930b1b0540165fd7ef4

SHA1
de58a79744168a61219d44a7a159165c71e839c2

SHA256
d733b809445ca403565ebc73a14c76ba22b2151bb009739ea84822ed7684441d

SHA512
9d92474d1b56203fea8004e3bfa57942e915375ccf45ef239e004a2b46eddb5d28b7d69dbc5808cbb08fa202327f558c28c075c28266edb338b8644852ff1e5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a16f508204a415a42dc742544bd8e1c3

SHA1
1bd09f0c0db97cca7ec3ed60db9a980b61aea4df

SHA256
934eb9b3bc2954d36898275940f594e8eff796481c31fb7cb209293d416dd19e

SHA512
ff823597175d68d99a3c4e565eebc9dd40ef4f4656372e24ddf1850bed5b64961131bd7b30c73f7eec11f457b293ecfe86def89be066a35c1c77aac5571ce867

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
e8c53bb8ae00f93274cf34d5070e1bee

SHA1
9ac2cef5c4c69ac15a266e3196e46cb97cc51d20

SHA256
adebecfb59d06f13ec1b4c3f9bbdb1eb1d34729e7184a3fc5649c44133dd3f51

SHA512
950db0752a2859ac0668aa1c43603202fb1aba407e026e175353403adf200622285cfbe1e088e71d8788ac47143bc0dc9db170481fe76cac8e235568a17e990e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1df58dc08eb4d93562c4da8707b082a0

SHA1
8b3218c4055da093082e60fdf041636202936009

SHA256
9dd5f064df908611797d8178facc9888df1e388a87ad75a387b4f34a402de113

SHA512
abf7f64897b59302b95392d18fda77eff699d03e7c8710570d3233201a4bf5aefc638c3317a5cfb09745ebf062794a2a9d5cd2937494d4141ce1149fd7aca5ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
662dfacb6312ef367862a3de9a6251bf

SHA1
abda9cc9a25b251c5197a807df35a6a3ea98637c

SHA256
865ef24dab4e500bd451a9d183e15ac691bdb853ef85e85a5c5c9db5b40ee3e4

SHA512
09273f1dc491d22d5db749a75190127337820a5934e8c4e80489aa1ed43928533847de6810b58af7a401939ca28dd44e9faed9d30bb6a9168123dc1e7b34d9f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e30b8f2a533e8a997cd7b56e33bc2226

SHA1
f2928264a8527657776461c6e4de3f674749ad78

SHA256
e2bcaf5f96b7c749438f26042e4feea3fe5777b80ab0bcf8e1268c1a15d13055

SHA512
bb41452e69fc733c5b42d7ff3e4fb80721c082a98152b2877fcaa51e529ac49929a6b57f484ffd13d46ae11254b599e982422cf2cc8c7b82e2128c3e74501f07

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
68caae7fe1531db3629175cfc301529f

SHA1
0dbda2b6157338a0ab84d5beff4f768cfe262c53

SHA256
de2664cce4fa605b034e6e738850bcc679ce82288deaa3145c1e75909f83e090

SHA512
ffa1e861039540e2dc7879e485034ff8e393fd660fee1e38cdb33b385401c95252c4ee8157b4ffe465ff13814e95c3660f386f10f88434ff6892354d501c1d93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b113cce0035bbd5132fff640ad867000

SHA1
615a8316e297c9078af14dbc4e52c49714ff9a74

SHA256
1a1708764fcc36989fbfa53924d51eb33d3dbc061c645759132f4515923109be

SHA512
826fec674dc0502f2ff73607ad41350a5fc23a48ac2f627c0057b55c0472c87bd3a73497b44be9183acbc911816e66b51b8bf6898cf6a30521547c24127195de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ef8ec42ea0537e02315d582cf1524da3

SHA1
c089612d8db284e5d2abb640751312a78f08025e

SHA256
f4ff579588897ea3f50aaa8caa6983eb7ce526b6b2b2568e1376ef1584850e59

SHA512
2b6625a9546026e7ec668c23045ddcb8e53692187bd3f7c6edcee3dca4387e15d26a1f194d8dc500deff623adb50b25b4de3a438216c3fd095685b92c5e08f3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
9146e0dfdc731924f666d652f562aa72

SHA1
322eaa6891d83f04e29db42b5a8e3bddaadc47da

SHA256
d0b5a700d5ff133102e9c3191c65032d5369eef849020504fa5157ccca8e84f4

SHA512
3effb39c2fd708302bc621bed3596d1e9beb0d3d4c03f92c3de6a1bd772f21b5220b59b92996320247fd73c199eb98b4e8b96b7c77599cc4cee7aed41a1a6763

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
702b23edef0a5ae39456101a2006e452

SHA1
cb2f4d95cfbed430819a3f7a598ff796dc0c9b76

SHA256
b7ce1d438b8fe826db10d047e67c877e8b117786083474e83f286c44ad787566

SHA512
3edae131d03c3bb4d9f9b6752a9b3f1474789f32dd0273555f28fa8ee651673e60de16bbf92ca226427674df88616f59a4cf6bd53319f839559a61422f71a10b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
e3339451da6468f11dcdd43ff68e31b0

SHA1
16c9f2dd29eba61b3e6b51bf9c0bfe921da7203d

SHA256
cbd9b897a4b748ef7f3bc654e12db48950e4b015706ddb5dddbe90daa14918bc

SHA512
267a04c92b0bc8ff678d52a936c41c0893401affef0d49b4e85f3cc94447faa74f4ffb37148abb0314fbff1c4bd23022b1efa71db6095c97f63bd6dafeb62fec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
09d92aa0140b47c7e682b69c412fa440

SHA1
5e3cc003cba26f0168813eb875860eeeb7fae104

SHA256
0c9eefe4ee6875a8b783f832ece1965b5b9b130995aabe05b2c23a3a5310d67b

SHA512
89708e521c5c1e9c0249491500b529b9b6f160b641badaa379d892ec756768488da079dbc4bf6377d5c732e6f8dca91b0f45201c161099a946b4fea4094e320a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
da3e73bc10cb56a954c8d5c7299bda15

SHA1
2b0225cb75d6f480f6cb99af14c719c007cea7f1

SHA256
1d58258ad05d524ffa39ebd6ea143465a31511f02c36d4dd9c9c4ce8b86dfdab

SHA512
674ae3ba85ff5e2514fe734ed6ec2437b17f98dde8ba60c4baf576af83801b72f531ebd79f1c94e8e2946cf2315a0150632f28b7a16c3819c2c92044998a1675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
dba48f105a8a072c73915c72bf1d4811

SHA1
b5907c48401bd7ec62b4d21d9c779f79a5c2f5a8

SHA256
f81b7841255ef72e57204246aa707316583c74df928b5a064c7d68f73d1008c7

SHA512
a87c915588c6c37683c81081cbf1c281980787b06ffa19f1b52748c792881511d6b29a77777e65bc0a93d238b1afed6ce45a43a0146562a1b49d0cfcfb07dc7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
428935a9677da3bc8deda338e4fed6b3

SHA1
8f3704e27e71bf96456cf9af9efc8b0b0106cf94

SHA256
269fc03b01018533aebad92a9be7a3d83317695aacd887b1bbf38db73c0ba283

SHA512
ddcda16d6abd8c7fb050d642f83057d82e4e66603901ce0af2095458161c5b2591c82340a608a1c9f8a09695288b6b5191c8c57b6d525af59cd3c1172e78b4ba

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8a33bb9020cec965b7c0b6fb4d13c6e5

SHA1
ba9149461e28ba1131660d23ccc0c37b4718e488

SHA256
93464961d54312f46086e194b40558cdde810e432ca6e023a864b7fe1db71263

SHA512
dd06e14047706595da8463243d6ad2eb405e4105caae03454157f686fa74ade71001daee8f2b51c01b5f3ead2aed5aa11362404952670b1729179fb4a7d564aa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5f1bb09084f8e4ae797481faa5b19854

SHA1
c89309fc3995182d29565800c7d14abc713cfe80

SHA256
67ecb901ba5eac16059701871df599a27e59bc1032ff5351b6f3cc2466185552

SHA512
591c5a982ab2677c9b7f8fd42340cee8932919c971b1d0cb9f04c04289abab8433f7b5ba9a1dc45dfbd62bf9043815cd8a341030a8eb91641ba359959173a7fd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
162a966a48bff058ab46cea585ac02c2

SHA1
9f33c26755d3428e156bd4086ea398d1efe8f208

SHA256
0562c71cf1eb3fffba2b561fee55ceab19f09df8c2068624ad2973837054bf98

SHA512
d79fc63dd67e6fea8fde0ab6a6c4b58740ce5b7606ca6f1a256dde8e1b0b03347ffa6599764942d3a903d283d58f75b9bb1d98bbd75fa663e942d89abbce881d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3bcb1baa96177852b5ae92181c25b796

SHA1
cb0794fde44d8409e16dba48c32c6ebb5ae4aaeb

SHA256
b246118e73168c660e9d33716900ae07e9bb911065b19d0464d8fc267951aca9

SHA512
7ffa8774616eb7413ee92cb55f8f4e926affd5a48358dc3ecc7aa96127282ff7c504f469d3f532449401699ffb34e512b1ba2f6b2d12cde4e20cd3e3508d18c8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
ced5e552175457ca2f5aef90ac1d3130

SHA1
31f4cf95807eb3eea5d2bc85c71df35135279015

SHA256
f061113a727796f9e05234ef34de159541c2a85c857ba832ee691b5522b76727

SHA512
90d2262149b83dd820d4c5a33d7dd7bf352d753541aafd6424b8055f06fe33adc8f6d5b39e01a5db8b4804bf8370240ba35b352f76f204e27afa1df5a998d51c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8ee7649eef6fec114e67e8c3d54fbdee

SHA1
2b8091972193924efda5682bec6678b68f04b145

SHA256
c539dd81b3c424c8e33d4b2cf2c1daafb325232240231f58d57615ea1b9b9f96

SHA512
6854f05bf3d266b94ec3aa94a2bd67f83ae117eb87d56b49e8a551d2d8df6166e547b5c55dbd5e67a5c310cfcfe6dcb46957baed908c9e7ac7101e48de03d5c8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
14a87db56a037141b40a3dbc88156e6b

SHA1
eeea2e358bf8a1647978f6e77465a4ca6236a2f9

SHA256
4a6d24c2853b23184ee431e4192e4a76d2f24c44a03450aba4033746f6e153f0

SHA512
8711018beec75fe80f03b6b168d0d450f8f2863851841b51f6a31cf8f91e4c394300a32bc0396655280ccce4c0ba59d967ee577ba04125ccc8ca7f1c575ed19e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
706cf6618249b6f4b10180eb1e323e1f

SHA1
d6c81c476ec1612fe999f693b7c95659a0a1de76

SHA256
809d72a6aaa63a018034bc4692caa2777411156425e8921aac5805d3f6e9037f

SHA512
9ab23a3792d0342e82a1598d951b4e08c3a827edfa1c2dc975eb6dd7dc6ef00f37b7159caba9d08fa755da208a44f1d9d63339e7122b2342b0a9e21e76a971fc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4483cb3552bf2376aa890446c92d7fbc

SHA1
01a9a3484b2cde3374ef4c96e73fdcc5a6289e01

SHA256
d573ff04efd8534d24b8ff2e0b57e0969aab9fc43edba03b31890b657f720072

SHA512
2fb2053db6c408620ab1d543862d5e0c777acfab043b3d5325717253257f8151f075318e9f43da702d6f9b0d73e4770245e2c96cface633f5d7c87208118648b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0372d13d17419ba7187c38c1b6205198

SHA1
4e6c9b289fa3933bf7672875fe851e9cd5dde009

SHA256
e6776659c5334bd932c1d59a6e8649d7c3c801c45909d0436a633419d90291d7

SHA512
dbd0372ae6ec68503321c92ff26e4da8ddffd33f1b16884d5455145664b44537e06bf730f7458e31a7be44c720c4779bff9f4d120e29522d394b5d165ac10054

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
377499c70119fdcbf47f12d190a6e28d

SHA1
1386363fc7fb29f71e47c00d116faf37f951d788

SHA256
952a3cefd124316e066a60e43f3ef597b2729e637de3cbfcff506d54516afdee

SHA512
ccfa6e216d88625262dce13004cb647d7b042fa6c92a5be2ba1e39240b7d5b3fe539d0f09cb9845654a7d53ceba02dfc35d51921d37b11297fe565734c7c3ce4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
27ae88769ac6d08f2e2cb4d463cf512e

SHA1
69b2289a7c0f2be509ce56d4fe951d21f36226c9

SHA256
a0ed25b21ab40548ddd40e09ea4297c9e14974a7cd7e9206c6ad5e5c5c811e75

SHA512
ca62b1882390e574a6365b4032fea6c6ad77c1cf461a346727e89b89b834433a9bc0aab245015ea8e32140ba5e5734b4a395adf988962cd48500270aa055824f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5e13c3dea3765414f50af26f1c5d1add

SHA1
f00ab889789cfb7b2e434a1df8f65f9413061333

SHA256
adf68369f6c261879d36a3ebfddd23946d466c1b2e11df8efd2404dc18099165

SHA512
097b6a4a6bdabb8f323e59b14d05ae1f23a49db8346f5aa81c09c86aa7e2334806ddbe920ee11506f7dff9bac6a19a61768e8aed0a96ffcbacb5c55567ae7ad3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0ede93372ddfae1fe9f888a7d06efd5c

SHA1
78756f8fab3bf3c9d8314e106225d58a3d8a2ad0

SHA256
07e4b6dfd9b6e3c46f8c548a7a291c74d9679361a93b5d200695646b435d8f0f

SHA512
8955be1e62c8180258c55986ec2764310d7e39de260e499ab5d07afb10d84d88de2718985391e4918c66a9b70ba11183285b565443578a5a6dab9581ec4c0972

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
db6d00b57e3203bcea9cea850f70eabd

SHA1
d38f903e6c67f2e0fddb2b6d92da8014c59e8934

SHA256
78b7b6dd818338fb7a030bf6e8229bd950751768ee6bf45fa5db57c53ad78805

SHA512
b293d8b3543d74e971ede676fed25be31502568aa98e67611cb36d5e4bfc05bb7bf0c44cd097fb5714fc09fe6a3fc229e024c303c1331e6e0c09834cc0515956

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
61aafd7173d79fd2c9fc091c61f1b736

SHA1
3c49eded27c10e44b534ea74f63743585200dc6d

SHA256
c115d1b5d1d943aaa2164e992989fbe0443073e883a42a447cd5e4d870285d67

SHA512
93a5c9bf94f268429ce1f29e0e89e33e1667ded5473a9e4a36de7ef9c0277c4e33716fc012ae4d0c01caf084354b31a9257f54daee5aa777afe978dfc17c766f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
075cd56a4bf40db3f3d136247ecab918

SHA1
b61faefdc4619dad61823cc1d1fa7792acad85b0

SHA256
46f2e9d11f2bd7c384e39aff78ad3a0f658e8d36ff54364e659e48e7fda25e1b

SHA512
469048e243a09d032e4ba50cb2a1e5953bbb21641410e8e7122d14106a36bf07e0a4cc3f25a15f7fbdbf257e6e361c575b2dee42312a8dacab07ce0d7f2043e8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ff2bef36ca384bcc23833a0b1c8636d6

SHA1
b4dfe96e7d6abb11d6b7fbe2b4fdc08d62c671c3

SHA256
b6173014a279ade7af03f8e5959e889a6cb83951b710918d3457e72acafc52b7

SHA512
aa0ecd465d7a8a5e0ead2ecc1f74329e742188af3fb88e7e8695d4c6c44e39359610c8222a697a50d7b563b436fd3d0e7c27ab9920d02bce030848462c842937

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d8ceb5e3fc2e47c623ec21bd9797a75e

SHA1
9fe97c8459bc589ffee3ce4ebc919dfafa3bb657

SHA256
e1850ee9544248d2aa782539c25d0ac93f09c2610bcdd87a3552ce588459c759

SHA512
f83f70b175ea53545d06da7bd05d1ea60d9854e03a409c530dec94310f240e725254625d0310b31797ff1654c848f530e9bbe89e3c29ef4934a691c3553d8986

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
809dcc3d5a5f409c43b271cba1cab491

SHA1
d1247522ba13e13113d57d886f1154f0d05f3192

SHA256
29512517a5da990a9ba3f8080f74372aa689c989d10de18fe49379c2e8d476b8

SHA512
f57fe06b7bf2eb372773fc76c64d40399685beb7933b34cccc938768e5f8e193a72c1af97fb52ce46451f7328c9e4048030979ec91ccbfd0ed6518d7c4a898c4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
972ed58e4a7cb2fed7814db9ed49ff2b

SHA1
bc91153ee16738cb2c69c2e5b69d303d444cf975

SHA256
140e408e31c937ff21f3b563a0ab95aa0c9064d2463495f9f7f051bbf36cac8f

SHA512
cb229401b65db8673b80da9d48d6bcfc878274af49ab32162d9ef935ac1d24390d2e048f2700ba07524dcfd09091b91c851431a4ed37c6fe6d29a5f52840ef37

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
94c3a07f7cede6747c811803ef007c65

SHA1
c2312d255ae2acfa4179f659a55ae00a268a2e6e

SHA256
726dff0122317b9be768ab8e5c902bdbcc2a6fd0e1b7ae0f6194cedc533306f2

SHA512
5f10cb2806908c4391cef52986d430fa13f04b92b24a3293d9a1aa7c2c6538465fbcc69bf6c6487ed11476a3b7cbcbca6f4506e5f9783cfd3a0e0d4b5366e5d1

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d83595900936822f71f9a844c22f916e

SHA1
fd1cc4c7a63e7236b09e8b496a4e043c36873341

SHA256
ff47fa86e325e54aeb904311c5638c429bafd50dfb863658e88ed756673b111c

SHA512
defab7a2bff301a8c32807831be8bf8d44e28e6fb57ccf16c7085c7b8b7cff911ab16ab9cd1effa7ebeed135fd9157a4e7e250670c8e1598de2c30d2cc2cd17d

Download Submit
memory/512-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/512-6-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/512-1-0x0000000000A10000-0x0000000000A77000-memory.dmp

Filesize
412KB

Download
memory/512-82-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/512-322-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/592-85-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/592-91-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/592-149-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/768-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/768-73-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/768-79-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/992-452-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/992-162-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1104-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1104-447-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1104-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1104-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1148-95-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/1148-100-0x0000000000780000-0x00000000007E7000-memory.dmp

Filesize
412KB

Download
memory/1148-150-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1348-451-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1348-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1404-151-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1880-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1880-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2092-158-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2132-155-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2212-157-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2844-153-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3020-163-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3020-453-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3056-21-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3056-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3056-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3056-316-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3732-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3732-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3732-446-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3732-32-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3832-156-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3924-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3924-315-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3940-55-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3940-61-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3940-66-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3940-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3940-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4168-161-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4576-450-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4576-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4948-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4948-424-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4996-135-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download