28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
Size

1.8MB
MD5

6f31e7aac44ccd894aa28335b345e3a6
SHA1

d56b23d28852bc7bd6e3c6e8bbbda17336a523ea
SHA256

28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4
SHA512

bb7aaab9d60ee9f584905d76ad61f4c30afb692f811cba355f8d4b51a6bc8d4784c04232690869fff7b894da418804eb9bc5335b5b5ac9bc60669f072ec90466
SSDEEP

49152:xx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAj/snji6attJM:xvbjVkjjCAzJ6EnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2984	alg.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
4724	fxssvc.exe
436	elevation_service.exe
2204	elevation_service.exe
4888	maintenanceservice.exe
4072	msdtc.exe
2760	OSE.EXE
2180	PerceptionSimulationService.exe
3340	perfhost.exe
3528	locator.exe
4276	SensorDataService.exe
4564	snmptrap.exe
1784	spectrum.exe
2828	ssh-agent.exe
3876	TieringEngineService.exe
1632	AgentService.exe
2576	vds.exe
4504	vssvc.exe
4832	wbengine.exe
3640	WmiApSrv.exe
1048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8747b9c8c979ad35.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\spectrum.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\wbengine.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\dllhost.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_hi.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_hr.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_vi.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_ro.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_en.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_ta.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_fa.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\GoogleCrashHandler64.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_fil.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\GoogleUpdate.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM85BA.tmp\goopdateres_zh-CN.dll	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cdc90ca42d5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b0479ca42d5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d39cf2ca42d5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd5287ca42d5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000834c5dc942d5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000464a41cb42d5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b4d03cb42d5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000be2956d142d5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c04ee4ca42d5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe
3616	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4016	28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
Token: SeAuditPrivilege	4724	fxssvc.exe
Token: SeRestorePrivilege	3876	TieringEngineService.exe
Token: SeManageVolumePrivilege	3876	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1632	AgentService.exe
Token: SeBackupPrivilege	4504	vssvc.exe
Token: SeRestorePrivilege	4504	vssvc.exe
Token: SeAuditPrivilege	4504	vssvc.exe
Token: SeBackupPrivilege	4832	wbengine.exe
Token: SeRestorePrivilege	4832	wbengine.exe
Token: SeSecurityPrivilege	4832	wbengine.exe
Token: 33	1048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1048	SearchIndexer.exe
Token: SeDebugPrivilege	2984	alg.exe
Token: SeDebugPrivilege	2984	alg.exe
Token: SeDebugPrivilege	2984	alg.exe
Token: SeDebugPrivilege	3616	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1808	1048	SearchIndexer.exe	112
PID 1048 wrote to memory of 1808	1048	SearchIndexer.exe	112
PID 1048 wrote to memory of 4164	1048	SearchIndexer.exe	113
PID 1048 wrote to memory of 4164	1048	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe
"C:\Users\Admin\AppData\Local\Temp\28c95ce656553c1fd24ed0fe14eaedcaf211375fe60a32a135b30f5594f554c4.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3044

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2204

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4888

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4072

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3340

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4276

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1784

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2380

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3640

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1808
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
36bc702805cb426309db63ab42ca4e32

SHA1
d55d17e89dc70b59a1bb2ecd440121891b2bbd9c

SHA256
ce9884729cda8f08206d48233d7eb2b26aa6307857590b1400910a52ed977711

SHA512
7a90039f3d5aa67b201fe6fa31dc5f17e1b080abc59a070a9d1dba76d5be438fdc180e917e099a977267f1140270b0edce284edbf9d1ff13bcc172d43e464522

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7bf0e2c58604b39ccf326488680c1976

SHA1
83faf77ddcb9d10a35dc55611d082f3d705544e8

SHA256
e3e757126b213e615c0df627021d977e406ee19986a934a26fc20780d961d8e4

SHA512
0af2899a40aaedaa741f64ce64cf9ecf345e155c4a1511fd2357595b32d23a2677b0960064b340b11658bdb99b6c38193c5af2ea235cd620441c00244fee75ef

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
f9129fc13f63fdfdcc678a9661d95ebf

SHA1
332673940e6a0a509fc873a476079ee26311ac22

SHA256
3823cbe286cef335dd3b987083142a0672e6fdc8fe20091dacef892f8d241ead

SHA512
dcee7477e1a6be32ab076cdab4ee01c7975084041e08ef167b28f5c3502c18c5547ac5adc89ae6293d66af9984c22ad7665ed1b1ba28f7c0586a37139b50ecc5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e21313d38654ce3106c9b3ada89b2d92

SHA1
7d50db85a822551072f7719420ec2953f0dc6b92

SHA256
065358f1b451d27899871626af4ca2358857f97b414ff291913dceaaa6ad9f46

SHA512
3829d91a2f39e65c9f83bea29842a6f36821355cb9e89acd2d97740afd4115542d110fed779d01f7d9a04178b1a1e921a53befa08a0ac1698d4ae23b664f94d9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
86aa49cc71f282bd716ae51a6d7473c5

SHA1
2c7b4c0d3f5a14ee9c43519bf9eb1cf92486ec52

SHA256
b6eb53fb1c9af7bf6eb364c03d5c4cd0d4672f96ecd6e0df4a2cf821c34ca42a

SHA512
71814413f41b68a593c02a4f7cc777231be188600bccbf24266c20ae70a8e8df7a3f15d9513dfb70ee565ed831d2070a3cb691ed42a6962a98423a9191970884

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
789c5e819068a217e1ee1003ac17a138

SHA1
c1c8dd14377d2c8684473b8d124528ed6ada4791

SHA256
725f3e242fcad49a1e88310f81f81e2188d5f639ca434e99dce47d0c42bcbeaa

SHA512
f3cb626d961dbbdd78b31b2e610fa403cc832ca8d2051769db8cdc99d138b3e4cbb2afb2697b3e346c2c68f635ffd2cb0e58ec6b2e327012edc920e0b5a07d51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
7f57165722d4dea7e3d067f662c2c68b

SHA1
08d93a753f4f5e1b1a7728ae1a80324bd7fa41d1

SHA256
b83764c679f8a8a844ddce6fc93ee28eb8f633a78d8a0564004e13fc430a504e

SHA512
703100ec05ba0555af293fde87dee5c07fc32523905b0ff013b6f71257fbe60c9f8d5eb07bfdf2d07a1054f96e8b156261ee209981e5974f836f7b66681c5497

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
87788859eb5149d1d0e1c959196a988c

SHA1
49443e19652038a6e8011caf64ea1f006dc79f9a

SHA256
f1dc6ed4e2c59a2dd01a02f1b1ca7ed70f74a1be22b81346e42d0acec7588e90

SHA512
bd2b310e1d71e8d69b1bab6e88bf6bc93d4fa6983d6fe68c621819f4d3bc5cb66cd20350f5c002ebdf723b528314bd0f606f39b9a9a0223960b0b8a0fc6748df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2eb2717de1347a9e9d4c574b4ac2b0d1

SHA1
5e68c6f69f58e972e5ef070d58cebf449bbf4d3b

SHA256
ad3b32686cf4bae26c8688747c7473ff116f2b66a1d3b271cadbfc95d8cf5ce2

SHA512
47405363566d4f3e74ec58cae0688684589fe35d3028fa3f699ffedf1c4f8d54f3817e41555ca0ce2bf12b5cfec9fa1666a4c7fb1a8c0c089628164a33e0b4d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2cb84a28623582b5b9701e340468272e

SHA1
d1312ec991ab36c4d13885cb413032ca168a496e

SHA256
cd76027e0c78028390d64127fb816995e4f123bb458ccb7cdd82155b9a4fcc6b

SHA512
a6639ce886b5ee575466de8421538f97ee533ac58da18e63a377a94e568efe08f2559a0965a340d98ba9ef9f4cb628be4ac7b9b7b3321e549ec75b9004436a33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f1c92b71cab40134145df259a35b0d70

SHA1
e11edcd469c1166e5b962ef72da04a81dcc4eb0f

SHA256
67b2bcd37882facafcdab9fa6c89b341d9fcbff96f9a38a505da1f7cc9b3d554

SHA512
3429bc851894baf6cce3420cea123b731a577cda3332dfa87ac2b7632046c6ff8e089aa863df97440895b6e8c20fb05bf05cfc839c70a19de3bf3663515b34a6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3f8bda056be9e619a5c242fcd79c9365

SHA1
848db312c5c7558faf484f6d0f32943ecf2b2b88

SHA256
51ca9d9cb759ac09e1270964e6f404a1b5a4bd2ae52d45987326d7e7648034e9

SHA512
33d897b93c16f91d8d9a3cbbc5abf7f1dbdb724edb0381b3fb8aa910c695511529ba2c9fa1f958e06b9b8f79119e5eece77880b11c5c4fd2dcdf927cf76b060a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
98725c549c2531036d9bbe89fb9e5b0b

SHA1
23ee65e0fffe123a4da9f94b74aa0dbedfd4be99

SHA256
f026dc3f64083da1fae91cdf013836b71b66b1209c045bbffc0ddac0161d0171

SHA512
2ccb672006a76ba77609210be007adb26a0afe3a21e6c425ad19f7b5c671cd777f15c6695796700b369d92099797b3ebf8302c6949d2f99b9fd992a76931bf89

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
29b9e68d0ff2077d7fb5929206eefcdc

SHA1
695e589a57af263579c4e99a338f984e79b22fd0

SHA256
a89ef39c940d14c741c87011b9015b3374ded2b88634c67311810c4e9f18a3b4

SHA512
fa4cfd0578177666fd9e40451526556c40c76e1286786381176e77a4336c2b3b9dd360b70889577f18103eae3b933234998c43cc9989cb5ff9d18c98ec335f30

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1fe6b10040b90f4021064d9ea39d26d4

SHA1
945561bf6cf52fd9648d2b1e5c5670c1d5871b8f

SHA256
4daed1c1dedc5070d333e56bad2945801d7434bb2ca24168d591df05da9e5e04

SHA512
eb6df54a047c54ceab6bf2e784c0940d9d414cbd6fde586302d5473dc734ed9751d0130fa42f80eedcb2703683fa7b30da5bbba507d083e459c2950210de4f1f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
e5f5bb307a35102641a4d4eb20d4ea9b

SHA1
288290c0a741dccf000be769515e427b28d6d41a

SHA256
4f711328e43453e4e80abacf000c64411b5ec30ac5544511b74b44d4af1f5862

SHA512
28a4e62f3ab89863d7fea0cf2bc6968a44295cfdc09348bd9bdedbb88524196d9456ea24418ca421fa347660567bbb2900be0b2ab0f8fecad1fccb21049d1f14

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
990aa7752aa60b667ea89de7e7a1cb9c

SHA1
ccb6b287d38e73343f42b15830ef9321048f897c

SHA256
ed990c3ef5b9967ff3674382593a827688202f4b3eb72505e4708761d469c249

SHA512
0e5f9796cee496d14a3800e467eeac9c682035bc6a950d4f001c9e447d4da84b9200c20075983e915ce09c0cb0d99c041cae9d206da3d6ee7e149fd5b686cc19

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
9b0b3c3973750e02cca8ce627e8e1513

SHA1
ee61d84e0c37545bafb26fab8eb6a6e5d7648e36

SHA256
c175299abe63441216f1507e98fa4a1137074e5645f40f3b258d9443f9a31b1a

SHA512
6d8fb40b94dab47e9d60f8d5a648266d49bd760f0a1a34fd55feb2b9b19fdec73a57bfdf5100a690c69c4c46eb1749e79fef7ebe7982472c9cb3737292291536

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
2bf57910ca0807f6f36edad7d0c6096c

SHA1
06477c99a9e99a4e7384a70a70134f1a4c472573

SHA256
d5768f00b8c7718d9ae7f4f082026293059ee09960c8f966716c07daff74ed51

SHA512
ec59115bc6af70b408161b81b86b7168fb8cad89cda219677224099ebadbae4f1271e66045d0d75ae601db747e7c5fad8649e7bfedef4a8566c03c38933661f4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
74b94b5160b1a8d5b77f5532a4d28c82

SHA1
141622d650e0cd6ae82c13e74054551754aa0455

SHA256
8950678431ab268d3e4db2735c1e14f89623155f735eae28238341f275cc934f

SHA512
92937091f5e0cd28d96efb8e05c4bcf70e69970038ad41e877aaeb9664782fa588bd529ab689e8c103b1d9e360a6096828300dffd8ed195796a61a9568c452fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
09d8ac9e132852f01c1b0ad232554505

SHA1
52cf3fc3125973d73b6b56fb38d7a9df43a1bfe1

SHA256
b07ecbd4f37315aab960c367516d2d2c3d37f700cc3b59fa1c92492c2d43f93b

SHA512
1a69b748fccbac6271139c220740abf39960e3c7751f7d0bf78da69b36e3c026417ec79997400e7448a6fc5114a344fe7e6ba876802aac0e316f7b15a76ea06e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0b641f430c2c60cf12ee646e2904b11f

SHA1
bac2fa5460fa5bdd4c6ea3b53c96abfd8e155e6b

SHA256
71012d1efc144d979d3b7ea79462b243e1649cf887fb08b8b9fe97128c788093

SHA512
4a585ec12030343efbed9ee9a9f98c8d369935d865c44acf4b87fbf6198d3f23c9d56ffe5fbf9e0c94199891cad952b4a13be985b50d83baf21fa984204b433b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
fcad0d55319c05423bcbc5694510f768

SHA1
6e34875b02faa503a43020b7f6c81a6ffcc70e23

SHA256
8148b78c49799f4fdfa43214b308a1d4af522b487104b58bcbf8afe25cef7ebc

SHA512
c580aaaf0f4105c90d5019685219d0919a612958188c88694df69b871dc8cfe70e7fbbba14a98299941b3525c81ef8121c1e56510fc5e2a8122dfaa168e78449

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
53459598f11ce62b07f971353df5ed05

SHA1
243190e75cf42a4b5ba9672b4558586853034741

SHA256
ee59c1938db35f881970945d2f40d2a0fbdecb78f0a88dc17f1d49ccf01d6702

SHA512
e20d117a0294648989c8d74b40908ff3dce9b197826201be0bf5683210b4aceb38d85deebc18b0f460a09dd5718257c9d12e7469e4bc3df471b1eaabeea23d71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4d13c0bb657e6180998fd09510bd565a

SHA1
97747ec208135d09edd7e7eb625971c6458f8143

SHA256
2c9a2c60620c647d8ab881c13c41eafe072be48612232849b6540d50c2e1b0be

SHA512
720917b6591a871762cfa1fcfc80ff24d7fbf41fa4f901c59a81e2ab1e6ac85fd4931939efa73702682d484358b7295cd7bc2f52aa581fab522f41db9c2b9ae5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9851ea151f0d017a2af67f611a8af05d

SHA1
0228471fe2254fb03eb96908abe2e5971202fd55

SHA256
3cc94395c38a4bcd8a11407fb94e945616e066e505ba2d1c227970af45c02bce

SHA512
f4fb56163cf3ffe59dc8d96066cf9aad945236cdb25da67d0ee1c97b4989e347340c4a402dba1c9c6575be2d58025a824fedc167975604abe2623ade002ebd1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b9d09df20181092430fbec48257f131d

SHA1
507130b66d71972d855c4dc5217ef2ce89a54e60

SHA256
69d8c36915f7192385898145114b16940ce5b5954d2bb2d2335eeeb390c15e6e

SHA512
0693094b9e8570de8399c876108a5b46756f6f539d23d1302d35e319562e657c4c33be6fe7bc30ddc1cc5e8d8cded47c3797144a567497ab16314f942f485136

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
e5d187946eee1e9cb6e56e8247e8b175

SHA1
68b90cbf1f1e5e8758a1cf662f63686fe07ffc51

SHA256
9945bef203300621a9e367772fbbf6cad46fdb10f9c4954856b439c92617fe1d

SHA512
d837294f949e3ca02bca50c10fc4bf1544734bba5eb656a06e26010266633a78f63263d6cef5a6c9b38164a2629e99cb1644851448f00abe5a6868d5ba4c302f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
af7357970fd85de0fce41405778ea5c8

SHA1
71caaecec86520d6b51ace947645bfb159527fbe

SHA256
f961571b00a06ba8022c120bdcf80825acb4d72e41e9e3d08ae2eb5ef1e77cf2

SHA512
7cde52d7114c0a4f21f55082abe449e0be035173bee22f907b6649879e9495bd1907a673cd1446368800bb70a5213a8acba55b52adaf14820a6b68aadc74935d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
9c3294794d47e702463e1b706cf0f63a

SHA1
0f786dabd6a5b42a62a577cc38f7130842d6c931

SHA256
8d9034111ac44e5f52356365c93ae31eadbfc1ee917a72e712ec9b7965f010b6

SHA512
1d110896bae9081897e3c9187152636131d48b66b4927a6544a5e9f9b5b22390165c74753bcfaf560047414d3f540d136065d45d7afb254599a57a8180b0f452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d6322886bec769b88e5fb1a7617bff5e

SHA1
8dd4ab882543065acd81929b214936dd6b2b3785

SHA256
a02a82a7cef6e0c3f77ef028462fd1abd27aa3728499e5ccb641ce0a579c4e8d

SHA512
d3b9a2dc7df04369378f72cbb8187088359d21a969083b825ddb1bc95df3c5675529b7dfe2d8da4a89f53100040342eba4d9a612b18b1cf27635bcec6e1a410c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a56047674a4a095b39f2572eebbb16c7

SHA1
e3caa720797b421c9c3399d6b5669c3f4ef633e3

SHA256
d9e6b95a0716fd2fb97048b5bbfd26fb22ab67572440ab9acd1d8b548bfe5391

SHA512
5170a2dd85852de51818cc32410b0bfbc1b967cb93f3bf94970b663c0ff06fed0a38d4abb35db17e637e97864ddcd05658362984a9fc50e2bae25625325135a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
889389ce7baf4bcf17f05d45284e1afe

SHA1
9b1d209ca80e6017ff8dc23c4e5439a0d2cca144

SHA256
e4015191dd897e169a47f98a135e348b34e73f410b90b149a96f31a3ceea1272

SHA512
a313231ed6fdf311b010ad677102792b0cab0659638f9aa58f1ea9ddc71add342ef0d4846117b0f2186cff7ee0e8b8b7639957a8caa9b856425310ea80c89641

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1ffc006152d7daec596cd410e47de68a

SHA1
7c223e1f7d582461d2b28e880612289853a3f33a

SHA256
9add60939b354be5009245692e75e0dc1a5e675305ebb32969033d846b467bdf

SHA512
39995a2a14ba5428a48742280f160614d84839f64c36e60f89ec65bae555efc306cd809092b993795ba1ee718725572cf1a789108b8399a79ee7cbeda7b343e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
ee06b957b78cbb85335f70390b9b9e23

SHA1
11e68725cca78b998ce382708eb9b8c47d53d5c0

SHA256
1e2b47c3ec2eb6d8b0649b42db383442a9680b50b769857d4038c61349cb50d7

SHA512
786157a775c21a74ea18207d5199182baa5defbb01238a643b81d275df3f1eaea06073730bb114a4e0716454a2ca02ac1aceb67ff6ab4a37b81ea3193a2f6e90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
d54af383aa2262717494e66fb0ee029f

SHA1
3a97a464bab90a1da4e644e50a5a9c509c775aef

SHA256
031ca40dc910a25b6c91e628c4ea460c6151fe6aa3d5181afa9eeb60a7cf355d

SHA512
2dbaf618f5f210ff773bd7a1801ae51590441724ad96217af1c3adb6225393b88b183b5eac97dad36660a43ce4b7833a4a3d34eec860a52584dd545be3df6a7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
367b8fd3519b842644017133bb233ce6

SHA1
938566a004ac496c015672d1aa6daf8b8b1549e2

SHA256
c1b42fee427f81ff9ea4323eb58fbc450623e6ef62816ba322d643de6e799c48

SHA512
eba6b1200f82875078ed5a3c75f50ed07d994da956521e129fdb54b6402535a9d905e2259459b6247e64884ecd980e9a750290184f83eb90397bd0f38cff3b08

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9a45b6f6265a5248e5527d92a6e691f7

SHA1
46fc8c6cc4aef79fe1d340c49d68c0a85496a4be

SHA256
cf79d97969840c24a54de70cfb9e901cc0abe710b064a8fc96ac36f748724ba2

SHA512
4c8d271b2d7a36a6c6f22d50165be89c431b2e599642211c86a87a1f799240dae422d11891f395a108c10f81b8ec45b804b8d6551000d8fc3900ed752dd4fe2d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6f20907e7b8bf60588323d4ec1b9ec8b

SHA1
d598af3cff37c7830524c092960457ea0cf4cd3a

SHA256
29a991fab29f256fe2e9c257bd4949fd66a80195d1913ace66a9977d187c50ac

SHA512
558d0e110fc028513a75eaf5f26613a3e18e5028c328bbd9789e22870ed2e8a42921731c4797612581ffbaebbda3549ddc52285269dcf8ece5106aa44886363a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
44249633969f544e2ae8936576742e95

SHA1
d0a1e1e6fc7b1f066d56e90101a3a8cb828c7837

SHA256
c1cb433516fc27f82c7ee18ab02407388ce8abbb80f2b4ab8b4a167a34d895a4

SHA512
d5ac61df17209dfb94ddeae065e3995832a8a3b15b3db716ddd8b6f4d8fbc7e39dc96754ffb2023c3602b28693a465416447197277b6085efb01153e8770420b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
782174de4dec26cdbaebfed2e11f9f3d

SHA1
4c5be345795adc071c865ea31c8526b9648fcc35

SHA256
d527fa9ee88e15ca6f2f3db2006ca320ddb33e5a27a5116169ce07c7ca6ad3f8

SHA512
809410914f45922a99388ffbff38c7d8aa18e0f893887eab63fb47739070a1111250e9e4b51167124284b03c4db8f8ffe92a216a493ac5918d2785d8b175bd10

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
e5248bf6e078cf9465cab213bb99636e

SHA1
e85ea24da22d7934f24e1a06194753ea430dbf14

SHA256
9a99d6e3464fc991c0d7e49081b56b7ca89391604a151eb44b5a20a61424ece4

SHA512
f879758dc79298507f279e6f566c40426b17c5435af35a0ba823556f672716ce19bd1979f224bcfb113aebee99136c625a367c3af142a7463240b85d3867817b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
35f6b7f2e69caf7322992515a8d78170

SHA1
53938d73f8dfc53ce565f354beb664d492967466

SHA256
f07cec17fc3e35b1ddd2b8ec4b5fdc054a6b6a5d09d4c4d217d0e0224afc7e2b

SHA512
70056fa887511221349651791d36441cbc9ba62993c44c28e6afe7f3e4ad164ed1eb0a47f79846449c90741bc28754f63a316c01b77630f1238c5f2e66cf570b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
954427dbf2f4aaea12ae07b737ffc0b4

SHA1
c736ca563025da56789478b29edd12b87d927063

SHA256
54c6fd040f12465a35f18c03ae1ee4b3544abcc206cb454a25ffe2182dc46f96

SHA512
197058e633a28bc7106ab62621c257a8b61e50fd3f11312772f812a69737f15fbf641f86443ef4f46db7e611329fbe29943c4d7203bf6167a0764a8f49695226

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ce1af4abb88f44a3a5edd8eca32cafd0

SHA1
afd608d4dbc50a29d956b014e2365c8bbd4442ab

SHA256
f8819ab7027c9285a3a0b7ea5411380ab4bfecd995b2d78129ebfda83da8dcf0

SHA512
405d644d71f079a34e5b662457e9c29f7928ee9724cc649b370c2c76e9f24f63824f75bdd94fdb7bad5b66d873da1f6e11e318f4d3a2512d54167bdcec3b6b39

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ba92962817b97e25f9b8b79148999f85

SHA1
61c4e58937b789b8ed157ea1986dc9820586f360

SHA256
23c95776a7ae93843bce91daf6efa559a531dc487a934e8a1e380fdcbf4970ff

SHA512
685f0ff6a8ca9e8883d074cf256e26d6ce26858ab696f7888a767d5ad7988ec36b448bcd4c4affa298c85086f9a949f759d6f3c68dce4b16f156c5e2e84d832e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8263c2493216bacc7c70a28afc06c8c1

SHA1
31cd13318585820f57b9372b9f1f2a8846eb79d4

SHA256
c1edfc2d9ac04795181378696a2f09864ca19384c7fa583a7cd31355301aa054

SHA512
343e28ebada4718b7d11b48dc4c955d1f0f44f3f57d862f7f79349b519ce6b9cd9e502409a543984b09b620c250d994e3c7a27b845a8718bb7b72c8de86a4765

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
70cf132a6de4065b4a492fe6852d7311

SHA1
c330c43b458aac1fc875e855faf6fe4e8ddb54c6

SHA256
856ba31733eb3bbf281aff8341da2be86dd9f8aab15580dd0cb66f6153ca5b82

SHA512
e8156ee6c593cce19dd00216aced99673f7a51b20d1ef32d4b65c68f9a3529aa896a44833314963169d8c913d4276cd08ac14769e4ad388e1614fcaef2b48fc8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
60f29a108e04d1e58219b39f8350e2b1

SHA1
191f10116eac3a7bcf3b5cd995c835cff7f02da2

SHA256
7a6c408949c52e023687d5d627788aa7b4d920f2b01973e87a0dbac6e19d7504

SHA512
7dbc9d1721afae7b17aa25d04e0e002f5b5689803daa798e1d666d959aadd5244a6f7bcd0dd6f5b6c394ebbdc09645c40f77bd4f62a5fc3c6c2707ae4e200ae9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5a030e8b6d7f5514c3ef0746fc6ff2f9

SHA1
f88ed5967740ce544a75447af3162b6130f5f6b2

SHA256
0fd06ccc357a4152fe561438129b5a0b60414f420ae05c69002d3b3252dd178c

SHA512
45e726f714c1c6f2c929b18ae65b3c0c1d28323123d6ccfa57cc0b1263957976fb535fc4b828ee947676b7c1f336990fd48559a3f6314bdae1d5aa8973d63cbd

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
1545048e4b6668a9a4756c1057218bd2

SHA1
14d85035391ec564c528de091a3106fe3fabc98b

SHA256
7947d33fe9d94a330fdf4312fb7c26564e0d57eb9974cc9a4dd043cf8a707257

SHA512
83d109bdc82414bc4c87bbd6d9fe27225a4f584402ec5a1577d19c83b0b81995ac160fe5ee5c8c44e0ba261d59e682e4a12da15fa9bc477fe46891ffc7e79818

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a4905fff6b19da12cb2c7cd09153504a

SHA1
988d2232cb1a54f3bdf8fdceaec4951be2ab60ee

SHA256
3e9fd66c0e4154b472b4b79c249e3b9f34515e515c1ae298104d7daa5a3c9d58

SHA512
60056187a006e49a1415eed7c1d307d09f464973e6e7b09503bca0cea474082c5f64bc3dda87dfd2de0e5893040505472fdc602899936773e4df386581960e6f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
935e5024d16d3148c201462057b41001

SHA1
d6da9cbff80b827355f0d151659925306a886398

SHA256
3e64fb78b81e47ce75e3467e93112b11c08afc74eced020ddb1c97fff947d9cc

SHA512
8eabc1d32614254eefe5fc92f38d7e19624adfc14d6bf69942201d5362539f3f3897797459473c268bdc4b696a682e63e629e620575d1d1c3af13640faf6155d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
83e1b84d38e92d454a442b747c6fe9a1

SHA1
5cb34d061bf255b350ffc2805171f1de05aece2f

SHA256
59fab7f0e34ce102f398adfdd19da8dfecca19494dc54ffe535bdf2f53e0cf78

SHA512
361e1a113f195e6d9152fe04d279bf162271bb2b8179ec5682fb30128fc89fe977a98e1eb7e76840baa25215fbaa77309ce9f39c67c336e0553c9119e577659e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
880c87c937057db5cc77513ee6fa6f1f

SHA1
1b686ceda4d31beaea89eb552b99ddf1b9d64aef

SHA256
cdb7b0c6ed19c42b17aa550db6b661b3bb413e303fd63534b88057878aa16ed9

SHA512
553c40e58e916e02b8f22383c68f98c329c34f36038d98f645ebf54898b0aac9b44a4064b74867ff5fe038cf5e1733fbf5cb7df5ff3c3fd25d01d016db0989b7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
eabf1a02438fed64bbe491283ccd1724

SHA1
141750deec99f0517b8c6f3e92808338824716ae

SHA256
f6114eb8e5b79dfd5b68cffea42dadb14bd71adea2d06f2f0d5a90a709fa7bf8

SHA512
8fcad45ebd77fd9fc50352c6479305c7c436518f0e47b4da89b5c5405f6ad823c922d3e50b212d22707233d68416a97aa7194d5c853bc707f04ce2b3a2abc229

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b8ae45a54b22a903cb2ed7c7cc15cc41

SHA1
d7aa55a94f0b2bb5c46839ae539a1bd8c6e87215

SHA256
38ee7501f3c30f1e8771dfb7456e8ea373ba4172a57cf3eef11e810ad936a40c

SHA512
b1358308f59e669dd4d7182baad91bc570e861b426dc3ad92a8d05c57767caabd2341315626513b0704a609e39f2f8ae8a96ac931c838c763cfc86f327e973d6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
426264839967bda3afb5d84d4636e054

SHA1
f48d661f3a405996270aba71a5a686d1f7f684bc

SHA256
f5e7240b35c470c47e0a17a1f2c1c38e0198ce8836589e680305b58b8ffd1ada

SHA512
80acd1a5327e0e71bb1fcf0eabab4a7474b132ed0a34a86ad8bd764149b3006a2659dfb1f4fd1f17aaa635adbeb12d53d293ebafa78e1e12d036e0efe2458f34

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
07e22b0ee7dad149a8999c8279b81408

SHA1
823f2d5c75c478ec6abb3269dce779f97464a9d7

SHA256
f5e840cf38ad5971bbc16a31ba3431f80dda382c86e6e567ed8446b99fc749e7

SHA512
9fbfda956af280973f1dd78b5172e4fb23542d637936c86ba6cd17123b1c689b605fb3d789bcdb641f5f8fbf11f7c3cd9c9683722cac3a65d3c88dd675340211

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
ddcf1748d95af597dbe34100e2d94f97

SHA1
2cc92f2b860b233c63709940491525992fddd40c

SHA256
17b7f38fea7661c17beef51624f8c185a2d908d709e8300e37d9b846ea630324

SHA512
03bf1363bf76cbf889e1eb034bc4c7061f0a56bf692cf10b11fc9ccb96be732879497d81a7744faaa39341621354090962805ba4ea2a911e5438585747192689

Download Submit
memory/436-120-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/436-240-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/436-119-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/436-126-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1048-780-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1048-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1632-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1632-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1784-720-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1784-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2180-303-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2180-183-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2204-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2204-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2204-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2204-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2576-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2576-776-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2760-178-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2760-291-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2828-724-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2828-254-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2984-17-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2984-19-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2984-18-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2984-194-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2984-11-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3340-196-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3340-315-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/3528-206-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3528-327-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3616-75-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3616-76-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3616-74-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3616-67-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3616-195-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3640-779-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3640-334-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3876-725-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3876-265-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4016-6-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/4016-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4016-171-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4016-544-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4016-1-0x0000000000880000-0x00000000008E7000-memory.dmp

Filesize
412KB

Download
memory/4072-276-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4072-156-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4072-157-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4276-723-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4276-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4276-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4504-777-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4504-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4564-230-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4564-655-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/4724-97-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4724-91-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4724-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-115-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4724-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4832-322-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4832-778-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4888-141-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4888-142-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4888-148-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4888-152-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/4888-153-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download