940f1e3dfe4e3cb755eb1278c946c6aff90b5528dff3993c91b00020069cc928

Analysis

max time kernel
118s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 00:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d900c638f64cd654582e9c9206bc280N.exe
Size

1.5MB
MD5

3d900c638f64cd654582e9c9206bc280
SHA1

0af3c201733bf829d45288a54cc74d8ea3337e1c
SHA256

940f1e3dfe4e3cb755eb1278c946c6aff90b5528dff3993c91b00020069cc928
SHA512

c6ea4b290ba41b09729da29bd29982c63ca3c4987c1fc94d899fa4df45281d88f4220beaa05c7f5acba0247f07418bf92dcec01a6245d01c7f3fa900db80cda8
SSDEEP

12288:C2GBebZ/r0n3bkC1juqJNTpWSgN/wwRN0UL0G/TVOo3HC75nSE33b9YvFH:7GBebZjabhoWdCN/j2GLl3iFSE33b9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4076	alg.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
2080	fxssvc.exe
3164	elevation_service.exe
2356	elevation_service.exe
3988	maintenanceservice.exe
2460	msdtc.exe
1548	OSE.EXE
1824	PerceptionSimulationService.exe
5008	perfhost.exe
4576	locator.exe
1668	SensorDataService.exe
4108	snmptrap.exe
1084	spectrum.exe
4736	ssh-agent.exe
1508	TieringEngineService.exe
1132	AgentService.exe
1752	vds.exe
3536	vssvc.exe
1712	wbengine.exe
4112	WmiApSrv.exe
3696	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3d2b4406720dbab7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\System32\vds.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	3d900c638f64cd654582e9c9206bc280N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3d900c638f64cd654582e9c9206bc280N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000047c941439bdcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac3bef419bdcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f6f85429bdcda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb74af439bdcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ba7be429bdcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
2252	3d900c638f64cd654582e9c9206bc280N.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe
3296	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2252	3d900c638f64cd654582e9c9206bc280N.exe
Token: SeAuditPrivilege	2080	fxssvc.exe
Token: SeRestorePrivilege	1508	TieringEngineService.exe
Token: SeManageVolumePrivilege	1508	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1132	AgentService.exe
Token: SeBackupPrivilege	3536	vssvc.exe
Token: SeRestorePrivilege	3536	vssvc.exe
Token: SeAuditPrivilege	3536	vssvc.exe
Token: SeBackupPrivilege	1712	wbengine.exe
Token: SeRestorePrivilege	1712	wbengine.exe
Token: SeSecurityPrivilege	1712	wbengine.exe
Token: 33	3696	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3696	SearchIndexer.exe
Token: SeDebugPrivilege	2252	3d900c638f64cd654582e9c9206bc280N.exe
Token: SeDebugPrivilege	2252	3d900c638f64cd654582e9c9206bc280N.exe
Token: SeDebugPrivilege	2252	3d900c638f64cd654582e9c9206bc280N.exe
Token: SeDebugPrivilege	2252	3d900c638f64cd654582e9c9206bc280N.exe
Token: SeDebugPrivilege	2252	3d900c638f64cd654582e9c9206bc280N.exe
Token: SeDebugPrivilege	3296	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1340	3696	SearchIndexer.exe	118
PID 3696 wrote to memory of 1340	3696	SearchIndexer.exe	118
PID 3696 wrote to memory of 1032	3696	SearchIndexer.exe	120
PID 3696 wrote to memory of 1032	3696	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3d900c638f64cd654582e9c9206bc280N.exe
"C:\Users\Admin\AppData\Local\Temp\3d900c638f64cd654582e9c9206bc280N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3588

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2356

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2460

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1668

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3464

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1132

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1340
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
99b4ab98c99093ff7a0ccf3e24f90c99

SHA1
ce815dd4cac91df944bdbb3b8992a74979f9a872

SHA256
68db561cd65640b247b2645a70b8cb1625c421c5dbedbc32b6884211282c7300

SHA512
b121ed23e5d314bbb6f7ff0106314f16ec923e5bd447d19251a901c470eefa8e2568987b6103bd14d25112cad3a96f8c4421d1f44c2d2231ce63ea3c8572c533

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c38477e1a8a76ac3a1639d555ad2a988

SHA1
3e6a1a16fbd68e28e45145f359f506773d595552

SHA256
5ff78daf760ca436ad54bbdf175fda07675fdae4d7d709f441b576f4f50662de

SHA512
dec26e3d52bbe51951966b2e8ee19e28155c5680f8b19ac2139f850bd9f0350928ccfce9108b1928e8942e39211569d5c7c8c395b7d68a9582573f7dc8bb996a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
55540fc45b3074cac42ecfb60557253d

SHA1
cf0f965c910ad4607b5ec31c7b33d027e32e98f9

SHA256
83709f089bb0e840260fe5a9280f19166d5cfa3b8bed75a7f83fcaf4efebe4d8

SHA512
b79d25c238c003d9c2d2cf6633a0c47291691d5cc24f10f102489e6b18df4d9e2a6323610035f3db714114bbd6cc77c50a04779fbdf404f9630ef6ac95a5f187

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c580e324bf6d5e009e6fdeda5d67b250

SHA1
1836043606b63e2427e92633b218960a31cd241b

SHA256
ba6323b61c3cd29054afec16b5778d0c7d18ac207a8d15984c2389357e9c78a1

SHA512
fb4017f8f7e82c2881d9008a9d07b297ddcd3fa9f6290bbcfa950bfcc000b93140971272f9ca746df8f8b1ad40e8eead90c504604c364f3f858d8cf0296bb1bf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
f97bd2f7cb5f533963ecf3f84fa8b102

SHA1
11b84ef352ff252afff5b02353e6c9ec489f10f8

SHA256
8b8048017076099ee8f06bd260585047b6923529add40e922bde196b9efc7915

SHA512
7212f8cae88a0e9262879df8ddc0108f26cbd91026cde4b7d462a9c6a949e15f69c8b38b2ff08a4d0f6f80c0375112e1451d7afdbd965b188f598e459fde2824

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c705d7cbc17f0c947e460911e832ca8d

SHA1
8a6d8701cafab67743653b92784b4e3f5ede62f9

SHA256
1634dfb1f32da6aaa073e922bc5c7ddca88d4ec5ebfbf23cb1ce599996e28b58

SHA512
b8b3cf304761d3266f8cf1b0241eab64f1e1d7fb9fcef6c8fd7e390d2042ec329159399baa54312c9230b57cafef249e99427f6c57f90d9614289564b568667e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
95d73f6425401d90bb7b8aa2fb2dfbf1

SHA1
448e4a627de25511fc191d62b878d0dc21e38920

SHA256
6697a6b1c18717c36166c2010660fa18125e938f12e013f6b4f158d3c7ea48c4

SHA512
20d44af807e86dfa9158b71dd357019fb44a34328fdf0e1d3a48e585e66f289f84363e4e12cb03e0bbc9569236b6109312bd73383cdc56402b7cabe7b35a0c44

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a984ac90721869fc25de40d8c65b9cbd

SHA1
ac7cd8c5c2cdd0a3cc88563300155ef0ac46272e

SHA256
5289514bcf2bb4a753157a985f6f22f42a4c2e3ae773eea5095307679b4ebcad

SHA512
dede284a27e08d16db4c6f011b97d395eb36ec2c5950cca04ddf4f3dca8934ddcd86a1b87ab9311a57ffc8eedd3ebb7d3cdc43646fe5bf342651184a36173a7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
d13341ca0f784d549aeaa1807c8ada61

SHA1
d12782b7c801756e600f66b79b04305949bf1329

SHA256
2c86faf269954345feaa6178372864f022952655e006c7c28e541d04ab2e9f03

SHA512
1b7248f3897ff01ffd0e09f991d7aed0f436c05dbddd4b2df01f15185c1491b07e5afeebe4e8a6ca2c0e64f4ff64ef89191bec38df3fd55dbfac1858f037efd5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7ac78c842e489fa80699b3ac232731b2

SHA1
e2b38235d89e262daf14d54dbb7a2bd9a1946e48

SHA256
74ed177f1184bc825820f52ede03d0000c0dc4bd93c12d4a2edce2aeda7fc589

SHA512
256ba322ec0d83785b828e0bceeffcd2a0a8bac59fc3f7329236066bebe995288b4934a995bf46ac418d54e7eecba1de698b74bc1186afa5fb7110a60dc7e2f5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8d979b44ba80ffed2d3996c0280ae543

SHA1
f6582f024a50129e4c4ccc11e26e109685fe1ad6

SHA256
739b9bada730d3ed67bfd371d2aa765a0d72bf5995cda7d505d4277ec838070c

SHA512
e8dd1e7063926ef7bcf77d78c62dddf7d03024983662d3a1f2e43c081e516f5bd1543b6ef4dea29e1b4ea4335fe660d815ed2e8bc043a7df4cd5791dbd490b95

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cb7ff3fa22a6eea9a2c64156c5f6eceb

SHA1
91d703eb23d95a877834fd8b913653ac8e4a6419

SHA256
045209aa21e0db1ce8834c9d0514fe9924835409b922a4313f36a55da36c8212

SHA512
93ee3ba86ed0281d3510119f7830aa75baa617a13141ee72b9692cc905964c53aea858b33ed70b59e97ad9c1ef60104837e45b5981945e7c2702123690da83ee

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
aafdccc4c61dded7141e787ecfc1e1a5

SHA1
797e6d958c99753cc88544a79077a036370ffcbc

SHA256
d2e90e4be98c047664f442f08eba268c0ecb274f60b42f01f216bfd9cd0eceab

SHA512
560cc228a03663b94c6a6572186a0c5c15675206feef0f992a2d07e4739811eae13150f09c44bf4a41b75649b191d455349b2fed49cb69bc187aaa1126256d2e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
054b9887be0b7c1f585715b412508ff1

SHA1
0206f49e38b80de431de5a9628ea36d287fb2aaa

SHA256
54a4b176371c296b46f87647bf496d1d650e61424d7623c61eaba681c5316daf

SHA512
54013861ede69e8151b0b676ac99ce2abea4e17a2d3b7433106516fec6b7c22fcea429c304be89ef6f255bf439fdaf74ddef36ccd73d3ccab49d7f64ff2e7b35

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ca2541e57f357e86675d06298d7d3605

SHA1
147e1f0e852cdaaf358702e7e77637b1d5022529

SHA256
3c9256749b5e9759dfdcb781ed1b92a10f0ef586df192a7c9ae5e673a4283b65

SHA512
17d0bb09f1d2401730375f62545b29775398057813e6dec1aca2d4395361f9a06dbdd6214203a82f72c93b982b03bfcf1b1dbf10894f96e24fc9e06e98e927a9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
b0b2441f919b9a7bd34ac62efc61a7a8

SHA1
28380e21d09586d3ed314d5eb332b603b89376c7

SHA256
9ca46d5f2b9614a7c4d8b7bc155b3e6641a55205b899999ec0948b781582ec88

SHA512
13a81b7e3d11173d6a36a5cb17fc5c9d6d697bcdbe91cd6f977e6752794283b317df135197c44247f304f97d1b41198dda6b8e293c6f4de4c700f6f992e61f97

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
5923bdbffa2860da315099f64f653201

SHA1
01f40867e5806a6b65754475d6540d5c57d3e4c0

SHA256
cf87c2d5de5b2d6641eaba2ffcdce992bed179dea673fc6f72e26252231b66c2

SHA512
dcdc5cdd5ecdfba901acf960a7254f447572855e27a11706b97b35b3a6262e2aa8af3bf31fffc65ebdcaaf679d8fb5a7dd6bc6b901ace5ccaf7359a7c462cce1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
b33a12c5c03ff4813a6d9a5a965ac041

SHA1
d607f07d3170a54e14d27af08a2816a272dd9702

SHA256
2939078d585156b5a7cc839b285a88c8ec949ab338b300c5f12e326fdd847151

SHA512
21995e6f74c040d3b4ee7bf094d843ce3e25db2fa71dccea457bb3e2da2a7ed38f4f8fd1583eb1a23d35df80fd2b4b9b770247f9e7f61277e0da970eb40f55b5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
b70867c84ba024e218c2cd70e47a0cb3

SHA1
7aceefc9b852a61f174c4f7a8faf175ce6666d69

SHA256
ed56bcc8830ba3c52a7e810a2e46eafab571f93c6ae5fae65ea0f98da89f9e90

SHA512
6ae59849219aaaab207fd1c438b677a192598fbca98220dd7a5935c52002f7753863db83764855837317b6e4a5df847fa3d6052463ba672d7931dac773fd794d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
dac1a1ce79ed1dea214c2a9142b748ed

SHA1
3508dc0956666ac46672073c82d43e31780cda2d

SHA256
ed8870e9663f11dd8d595b296d57e3b72b4b1907c446f8e136f495ac15cb7700

SHA512
bb0f852ec7b8deeb9120cc26e5964953828a4ad77003254b2197bab0abd4a147e8c6d0f6ac012e12650f73ee225d58fdc340057f1a69e4c6ee24aed8b228e105

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9311412e68f62e759b0fc90463fb20a3

SHA1
7a3f246e0278d100112871c04038c7d4c14f1bf7

SHA256
b3b72e5a00c545597874b85dcd99fe0ad5eebefc1cacc2497c9c709530eeb516

SHA512
bb761ce953edb4530daedf84ba44de8d32037c737a854b759f014955c98cf3ad3e261b2d483c39d35175df65f980832a49a43f8a6cdea694895d0f8168e769b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ea8bd462e8db06c0106632a1300ef1d1

SHA1
ce8bd971259e0855f0270a86a6a9606560bbf70a

SHA256
037c4517d2cc668c109670ece8e37dddac8f2ab2344e43f479a524e8f25745dc

SHA512
dbb0af943d722fd57c5f3958752f9f1bbd0c23f45d84405c1938ab86fe15f90c27e44caa3d27e25dd166e4e4b0b53daf48be2e24051c6d30bc5801007881ed77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5be310807748300bf40cfca7ac8d8280

SHA1
9cd37372b3b20b753ca1b139edab1325094859d5

SHA256
f978d3de1b715b386a3f5df0a79bf877116a630626a19deab2343ec4fdf8fe21

SHA512
5b127e50a8de264286bafc59d6d6b0c8145efab96f9f96a90fb5bcd8771f4bb54cea396dfe451f3e80b29f4dbf17bbc37c50072cec26a07c53344e625c32ccc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
949a45a22aa138425d37c1444a2f7792

SHA1
5ce5af4cd1820f2b0e208f6fdaceba627b517cad

SHA256
594a5b60fa374bed365345bef2b905acc2437591ad25664e3c6cd6024a11f7e0

SHA512
ff7c20ba698e3683f91ea977971ab51b73f3d589b465e03456d9041e8ace26d466c0394f91ddb651b3a912d7c73434567d35bc5d8aaefeb0d26c53405b2fb9c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
80047bfcbbbec0410b0e0902f5cddf4c

SHA1
2216360ff2790b0091d36bc368f1dbda0c072eec

SHA256
a70012be160cf78dfac56d2cc55009a62cdf1d5c5e8bfe64e14eeaec4dbd32f9

SHA512
ec3844dfee2c1fccd62f941d39676aa3b586bcecf80d25a786353af070b89b78dc43d6ee61edaf4c1c2416819d05ce4a47508247b79e747c7c2611b616c31313

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1f7a1c93efaaedfc96445cdaf52d066d

SHA1
529c71df50f312164cf5b5586805037fec7f9d01

SHA256
fd25b1822ea6835ae729f2fe0b29f18512d4d00417aab8e7cf8cffc7fa6bc875

SHA512
52b1c0512b2144327fc226e70cdaa573dad4304c861bd20616f97ad7d3ba471bc0480f3164aa3568e5724d74778e8ec7e46828b6914e53e0eb582d24148dc5a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
93420c644540beae8109becc3841d1f2

SHA1
a58e657b0e613e78d1276580083460731209109d

SHA256
c2cff67844db54cc2b3e78d04dad68086b8b1a6d81f664600759f69f9a26833c

SHA512
a6c1fab3fbefd9073d12f04212a674472333c0af7a9a1227accd361468205a9ec2d4da838335d5e37e5e5f6fa97adf373e9adb91708ce72516552f7001448e8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
9c9711ed7ef7f7db1a7dd3068ecda57c

SHA1
9ea68a0d69c8df2d94eaa8d0a5ff988c653e76a5

SHA256
68020eff1ec36f858ab6c95eb4e4e8095547f69368aca64404077befc907cbd1

SHA512
bc22ea66b601d8e7798e7ade27c6111cde16658ccda7246d32792cb7f140ba4727048e060317c8471057d319e0d30c172d0d11a4a9ffed0db4ba59916cc08045

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
43c4d1fbe6e64618907bd734bc09854e

SHA1
5cb102091dc29c428cb19286b143d73039a84bf9

SHA256
888024a8b93ab4dec896f09d2b32aba4f9d56fef520bbf7fd033e32ca41fd434

SHA512
5b1c23f0e874c9c24ae87d5a50ad770d0f4503da7e2c8d77c35cadcfcb1679031ddbbfce144f1dcef6d98fe1c46f6bd1ae15fcdbb85f26aeae7e016ba3d70cb9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
db1c80a99ff8610adaa64ee4ed389866

SHA1
4dac63a32ebc7c1a908a1a91b92efb9502900d80

SHA256
aaf37c10c48e3e151f2b99113cc59362276ec5f471e908b834a135015cd71142

SHA512
5496e28baf529b0d1ef26c440c59a874569fede16c7ddec7a4d13879f9b4aef396ff839149a92706e444a42d1333644b4e725fa1d647afd9aa95bd048fe53a7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
a94c5101fbe7605acaa837455a20adc2

SHA1
d5b10a36f8d0dafe5514776d9bf9df04bca5af5b

SHA256
6821431a3ba42d7ee0f8e227bd534e09d8d2006963ae4b06d4e00508fa4c32d0

SHA512
ddea2401ce621b7ac385cab9ac13e43e1d8ba9a7188a8d4766dae5399b8443ff9c7b12649465df2a9a28af794897fd0001e35be224b9ae019f44369ff1610938

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
67c9e2fcaca811afc182b24f1af7d46d

SHA1
336d01fa97493011f1beeac8b6f3e0e58ee21ff3

SHA256
97e0f2ce3c83594a7430c463d86fa281465bc3ea402bb4addd2466750ace2d2c

SHA512
1b5a8bb57b7503d3d4e6aae582328a60578e8af3baab65d8989dfe1db7294114b69508530e2f817eee9d3989cb0f43fbfac7acefeaea2891d0d91fdc9af4ea19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
718ba92a2fc749b68eff1428f49c0b59

SHA1
8dacb5ef72ffaf71123850539eb41abfbd8d18ce

SHA256
7ef345223a94b103c22f0ebc388cc7a5db429e882eb70eb479a49f2ddc07d4e5

SHA512
3bcd3881c228813d8bc0b73c36ea86eee1ca7dd1a2b1410ce397944e01d70c0f9659e8cbee2261c9ef1abbef6ea4ac438b7d0b83d0f8f690d373da113aeb8329

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
b6a8875b9781c33f05bd5bf83a064042

SHA1
64ae12f3a2d970ef9fa0687e77c959a6a369cf04

SHA256
1edc197303e586d184bbb32854d1fa25dedd29d8fe9f185a27be09dcf5797b33

SHA512
20050ca050dc5c7c1d03096c3c7994a023748e40130046c970c617edfed67ff6b1e8a7fd22b8012714d1b9c7fbe7ccd8c2531c78b3a202b7174ad066a1f9144b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
4cb8fcab29b390dacc56de4cdf0d225b

SHA1
8b5bc492d32fb890cf193c4f7506ddabdd42da8a

SHA256
7f3e7bf197b8f603003462215a4a99ce2fadbc1e51f79d766f58a10557f1f4eb

SHA512
5f09c0bbee9cf45b6e1709667707fe0dde298d88cbe887f4aef2f18fef5f314dfe37a94a4449a2a54209717eceaa590c2b3b2aa60fdc7190c6b3a865e309b4fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a3afa47a4561b8b54bbbf7280018c232

SHA1
fec5891b8e963d2f5a46430ce6dabddb9377e85a

SHA256
dc094b1acfddbcbb527f03ae166736cf13debdf7f192cf5cb9ed6d84c0336140

SHA512
b701f39772384b920ceaadcb39b66815d39e474b2ee081cf377f66395020da9a26e0f4abac0ab28afba84864f2c1c34a1de93f18cab343587b85563bdac9e1e5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ac66cc6f362b3721ad85f9276abe7e8c

SHA1
2a1d8297beb7b6d94bae60ee705d1a0b05649de2

SHA256
359ad0503752398761eb498f06c1501a06eb66cb9dac81c990051596912c8e2a

SHA512
fcf8ad966e1925c16e6d8d0981f0cec79b7d2fc9ec05ea65a8c62ef712e001161f023c586d083bb07e24c6864e1ab1fb07a412a08865a184b6a9c8ca04531688

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
7fd2344ed1363534a45c3994f2571d35

SHA1
a3a420587c716ed07713cdd2aad9b7f2e5417b0c

SHA256
badd2400abb9b873be7307c56f187d953a8b444c2f2304323f59f83ccc082d76

SHA512
96bd7a0856b57a7b80f170284438acf45806227067208416971d9c855fb0db67463c16c6eb6e852868b5af8bc2bed85dabb04e16ebc55cf27fd1a2152b92fdea

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
58e47c00a686215b8b2380db46b04a84

SHA1
b82dad5602f267d7e399ba78fa898c569f1294c5

SHA256
8c2ecec3d5271ec4f8f64761041b6fd7d47458197338f2d086c6771b62027417

SHA512
f7fac10fde704e7c423ca55cf0b837710030a2f344f62f3456bd04d83fab258b1ff1784fa1249d03bb59aabf58416b067a31ac4a4cea343fd0a33174b15dbaab

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
98048601c2c1cf7026b4ce4e9be96e87

SHA1
d41197c5ea61e628cd3c4af65c2b733ba4be0ed4

SHA256
469a356227dfd99897bfc49f7f59a5f740b6d7ef2e6048466d36c4a0c06b56dc

SHA512
7d85df747c055941fc8c09be25265ac277d7acea352544581c9abec1585181f60826586039967489de5e83054f4ef1b8a4de9d98109e762635f4ef75b74c5ebe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
2273f565e9eed853b8ce9549059aaafa

SHA1
5ca8979c1b1f34f398115296004a61971d57f71b

SHA256
f49ba37ca634d348be5f358e5af6c12c5a784b3fa9ae3354a691aa8d9c84b249

SHA512
79b1b87942c7fc8158e797441a0200fcdb97e5e394909bd116303948afda6c6a0280ffa44d00a1ea3a27cde7caa78b00c20795acd2f0cd9df4056c6f06cf83d3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
94a687d53f5a2fe949e89727b69b7a80

SHA1
687a3fac177d30b0eba38976c8963aca7695a216

SHA256
d9ffcebe50540299ce4f71068d995f2d8ec69d67886e88cf6326716ba5164df7

SHA512
0e599bfc5f256f6ef9d3b2266eff834d8e83495a8403aad654daa8ff1c18d7f695d2c6322d852fcbe57be5540fcc20c0800696eed47a85e342221902e237e808

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0873f0378a8f0f2e601f68d14693b011

SHA1
37b1ac4c0864c779d83472fd77d96dde30335751

SHA256
9227b60775bbdcd46ffcdd055e0b617aaa9422eed9f14e3faacae8428e629248

SHA512
5a3c1e4f3d709c80c8a4d052a8b017ddfb5c0fe3b45e7e69dc8bce13d5cffb6af2989d35ea45fefd1895d23c825fdbf5c45bc0614b1cf1bde0d37be9b3e93ac3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
084658e6ae5090ae13479ac759894962

SHA1
4bf58ffc7c1f32befdabb3f33c3af754eb2ef47a

SHA256
bf1d59d880224f1b33f2a90bd275f53b87b74c4734ed31910b9737fd040ebc21

SHA512
58c618628be89440b0461cdbc5fc6a846f909436b5c72d954c690270333e151b23bfd69dd4c0bb4cd15914df1c35f60331e5185b2bb81706975947c8f7d0466a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
82b9abedaad98c03a7bb82ac6534a95c

SHA1
2305f1f41e79fef5f99f9805a5c9d00c2df61170

SHA256
c4531bbef461f438c390d2b78a6dd2a8821eb14df1d70c252b06f4cbcde79a04

SHA512
1ed9ed6f5cb46c90c561b044c5f9ab551b087ac2430132a77c88c6ceb117d2daef2dbba0d026845ef498769b84127fd138b50d1118c54c7c786d7dc2fd217b56

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
407b741853b66d08584ab89fc8902c49

SHA1
14da2539821c6720667c0db1d75a9fc2529846a7

SHA256
eb20a184ae5c061cf098854f8d58a99dc6ea5574df3c40f1e629f80d60a6f5d7

SHA512
e3a6a3a5f3969fc8224a015a6740ef72fcd19870d54e66495d56e47562a6f0d775b98fd7376509063413c25e170a55348816be11266b6c2fe0eb6de8f4c57e35

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e882f045e4cc164e68aa196a320ad8b4

SHA1
8e5d8a145b7b019c55fb427e9c638b874f8dd054

SHA256
0e3ef2351fa3ff08c290864d68fede349b137b2f6300225f57b0ececdcc58fac

SHA512
52a180208258ec48c7105e48128c8b5ad98fff973ba0bfb52a65d1b57eb081048f892654a24fd0dfa99479b18ab5359e38462d40f9a158fe65aa8b68217e1f3b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6c51fbd075ffb02792aec075a840712f

SHA1
162d69f177f5822a50e529e1e54933afe7a98896

SHA256
b519f3cb019a92380efb4b246a7f9a7c7d9eb2bf34b846611fa3b7a33bb3b24e

SHA512
a13fa3d022d0d986cb45af6e5aa95de82d76a4167e25339ff5e6e42c8f0cea6693f67f4d149914190667822c4ffe6438456c23d601d6af84c4bf80e465c77f4f

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
9403a8463f7d1bc3d8aa4edd9655a215

SHA1
86f503b3351f3abb8df75ab54cfcacd4c82e3948

SHA256
721acc25dd72a9de7ae3719ad094a195eca8a3faaba7c92b398b1eb524e686bd

SHA512
81373d89ee7ac3ee26547c396c9f225664a3fa0cdd1eb91f9a1466dced940d32268d94fe1e55470e90a352a8f5e62e98894aa8e01d52381265f0c82a3fb0974b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8fa7f7a9821c8474c9f8afee679051f1

SHA1
c0e2396979e149b50765d11717f5fe3f081428dc

SHA256
240ee6fa00630e7f8d51b48484fbb94eae49cd522a0fc12f1b6228f805b79a24

SHA512
259415bc24e894995ad45108ce5de23781cb4c4b9dece8eafa46d180c4ccba3b8e2d451bd05f5d5f8b6d2d16747f1cf6d39ff98e6007092b4b2423fbc4490f38

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c25bff8255d2725c01ddf3c0ad2e0be5

SHA1
a75629a345a56d0e090edea82b7e7d5f2e737110

SHA256
855b6572ca302add33f821beb694f41d143858320f2eac4f08f9365d75445b7b

SHA512
782887270083cec4c001f8b09313630acf3d6978257222b90ead1f54db23b66a9fd9fe2fa43a04590fb36936a88066b7dc4cfa5b0588b4a9d479166701f0e627

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
deb5657bc0ef34e99080e9a0cc1fbd23

SHA1
c637d5bb6997dac65dfa68b2e3a4b846fc3bcec3

SHA256
085aab6e08414cae1c2cab42fced29f2da7dd774d0ce7d2e9d9b0b5f4c79a9bc

SHA512
9750368fa6d19275bdd39a73c8a5d0ca070e6070f43fd5fe1e69a901c1ad5ea88b96bf0214f1d5bf870689c62a7a0514d4d98d580ce90af2c50b09612c742b64

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
b953485e4564427822ead37070f12d20

SHA1
fd47d52b9c64f2676fdeaf2abbe83f680d297f5c

SHA256
13972baca15654d1186b6606df1f045835d1ad1d4ca5f2d8b1e940d5b4fba4c6

SHA512
c707d1f9c4f38321235d412594d908c21afb792536f41a71cbd14a9d223c0566e9bd69632b1d4151c3c5bdd98325a44618870fd0097b0e6f0dbde92f3106d32a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
22f9448b6a754ef2323d3bfdbb263012

SHA1
3f8b60c8483000f78f0afd9811a39642a0fb7c38

SHA256
437d38c46940b80384224bbc1157f9e540117fff8bb85e9cc85b6272b6655532

SHA512
9a01c68408e225b81e677738afb7ce204313803c34199f50f614cc1f55839f7411d02d3de8cfb8f090725dfa44fd8c75186fc092167d3883e6eafeb690a5d522

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
66e47906db6152e62d80a6a8ea94f859

SHA1
934cd9b80adc663b6015fb814616f9645a564b8b

SHA256
13b3f5ff61b7657c42417513af580821d6e481145e25857cf6048a3dc919f4ba

SHA512
f66b7d33729bff03b6570b0e5008cbc14b272a07bef7d994812b1558f2f6c907d4e7ec960492700da6eb3828fd259fa200944993fda74e86698980e388265fa3

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
50e84a68913c0d4539144ee32b85a9eb

SHA1
f4efb2dceadbaff3e62a612c601be35fe3c7ec9e

SHA256
29dca3aee0a380c8fa1126ac6a72d25faede42e0f7bcc05521f1b2f2140fc058

SHA512
f97bc18911317965a39b18c0f53a225bbf89e712ad74675e862b58f54e05b04852ad86b70324a8ead9d13035c2dabf0623798b3a604e128fb07d65ca0288982f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5e78aa85f649c280ee792a619ce21add

SHA1
e6e3b1ecedb37a4ecf0e76567e3ca2085accf289

SHA256
c9072a0788b068030bc2387058648090f4b06810e9b9db8abc8d40281dec9ce5

SHA512
7b85acbb4f33953d34a56911576d0a73cd6231059b6e0f7750352f765016e221c8e935e0d5249269bba8a0a095053b3f9388fea5c1ae58f71b64f7ac636bc87b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
20dad1c509756820259e4f5071679bb4

SHA1
0927069bea13bbeb4ee94c622e1339819f74cf28

SHA256
0bde2e033fa8a8d16f1969ee9378c464a2548c9798841d61ac5c519175b6e820

SHA512
25a7a73e917f612f43613c8702f7e4f79d9f0fca9a647194cdf77272662939f7d3ee47b52fc010f9a7cb855c6a06a60b62d1372d1b4b4d60509921b22b8e948e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d6b51fbc0b59672630205adbf31c8ed2

SHA1
f0c450e450ba7483a6b555d35ae8a47991625ec5

SHA256
3e0159cf596b06bc0762716868f6a07714a3171c162a290d5e8edfd9f250d5fc

SHA512
403e8e86fbf0da758fc829912cd48ee9bfedd3ffd84306b9dbfc5484a05df59f84381813cce9aa9ff645e67ec7609cfdbd7031f4d57ec2c0d2e7642ed9ab5c9a

Download Submit
memory/1084-343-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1084-122-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1132-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1132-402-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1508-401-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/1508-146-0x0000000140000000-0x000000014017B000-memory.dmp

Filesize
1.5MB

Download
memory/1548-82-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1548-80-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1548-74-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1548-153-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1668-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1668-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1668-378-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1712-405-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1712-162-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1752-154-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1752-403-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1824-89-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1824-157-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1824-88-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/1824-95-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2080-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2080-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2252-6-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/2252-1-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/2252-73-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2252-0-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2356-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2356-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2356-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2356-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2460-149-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/2460-69-0x0000000140000000-0x0000000140152000-memory.dmp

Filesize
1.3MB

Download
memory/3164-121-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3164-32-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3164-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3164-38-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/3296-23-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3296-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3296-15-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3296-100-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3536-404-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3536-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3696-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3696-441-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3988-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3988-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3988-54-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3988-67-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3988-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4076-11-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4076-99-0x0000000140000000-0x0000000140143000-memory.dmp

Filesize
1.3MB

Download
memory/4108-281-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4108-118-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4112-408-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4112-165-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download
memory/4576-111-0x0000000140000000-0x000000014012E000-memory.dmp

Filesize
1.2MB

Download
memory/4736-380-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/4736-143-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/5008-106-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/5008-108-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5008-101-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/5008-161-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download