8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
Size

648KB
MD5

ccce6b5f8319483dd3176722018f0909
SHA1

5c44a5446385c46edd377198a26ee46b1ac21c64
SHA256

8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f
SHA512

376d815a1fe918203b489e6d38bb1e14b4b673624828c97377777b70ec1e281a318dcac62071b6bf7031c3617d3e712ba1a8d2711c9982919c7bf0d6ccfb0c2c
SSDEEP

12288:xqz2DWUMGt/sB1KcYmqgZvAMlUoUjG+YKtMfnkOeZb5JYiNAgAPh:sz2DWit/sBlDqgZQd6XKtiMJYiPU

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4784	alg.exe
4668	DiagnosticsHub.StandardCollector.Service.exe
1452	fxssvc.exe
4804	elevation_service.exe
3996	elevation_service.exe
1448	maintenanceservice.exe
4544	msdtc.exe
2580	OSE.EXE
4780	PerceptionSimulationService.exe
5080	perfhost.exe
856	locator.exe
2076	SensorDataService.exe
1056	snmptrap.exe
3296	spectrum.exe
4988	ssh-agent.exe
4864	TieringEngineService.exe
1832	AgentService.exe
3908	vds.exe
3512	vssvc.exe
4308	wbengine.exe
3620	WmiApSrv.exe
4208	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\locator.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\System32\vds.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fdc58b0f90c504c9.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000810b9a6ceededa01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000056e696deededa01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009952106eeededa01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a54dc76ceededa01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a62bb6ceededa01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004926c06ceededa01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbe0db6deededa01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006aa01e6eeededa01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4668	DiagnosticsHub.StandardCollector.Service.exe
4668	DiagnosticsHub.StandardCollector.Service.exe
4668	DiagnosticsHub.StandardCollector.Service.exe
4668	DiagnosticsHub.StandardCollector.Service.exe
4668	DiagnosticsHub.StandardCollector.Service.exe
4668	DiagnosticsHub.StandardCollector.Service.exe
4668	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5108	8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
Token: SeAuditPrivilege	1452	fxssvc.exe
Token: SeRestorePrivilege	4864	TieringEngineService.exe
Token: SeManageVolumePrivilege	4864	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1832	AgentService.exe
Token: SeBackupPrivilege	3512	vssvc.exe
Token: SeRestorePrivilege	3512	vssvc.exe
Token: SeAuditPrivilege	3512	vssvc.exe
Token: SeBackupPrivilege	4308	wbengine.exe
Token: SeRestorePrivilege	4308	wbengine.exe
Token: SeSecurityPrivilege	4308	wbengine.exe
Token: 33	4208	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4208	SearchIndexer.exe
Token: SeDebugPrivilege	4784	alg.exe
Token: SeDebugPrivilege	4784	alg.exe
Token: SeDebugPrivilege	4784	alg.exe
Token: SeDebugPrivilege	4668	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 2204	4208	SearchIndexer.exe	113
PID 4208 wrote to memory of 2204	4208	SearchIndexer.exe	113
PID 4208 wrote to memory of 2264	4208	SearchIndexer.exe	114
PID 4208 wrote to memory of 2264	4208	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe
"C:\Users\Admin\AppData\Local\Temp\8434d6345aa9aaf3f98a784b47b2806a21fbe6fffd4d6e2ad48e234353e5276f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4132

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1452

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5080

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:856

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2076

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4844

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3620

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4f05f8aa00b2dff43602f6c6043d0c94

SHA1
8ea5110506f481dc1b241ed3747b8308ac2e9609

SHA256
3664e78a6346610ac4ab6cfd77c1f11672099e160e4328b30803fd2d8125f102

SHA512
75bdb1fe8d9a3736af0fe47043ec20c1e120f5773d58ea933be22d2e429bc1cff5330a177b5fc20928254e122667d208edc125d07f9304e752c91a97ac4788ff

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
5fdd79a19300ee644b14cd12549a76f3

SHA1
fd6617572e9d4b02e1a8dbe96eee19afc92ca106

SHA256
0ac5d1bbabc4231e475ea80e1fbec7fb2c983ad6cbe0649581b8069a59cc950d

SHA512
0c8ef6572a017ee7f12ce1381a977a71c38c5a7412b34215a6d086a7ef50509a02db225fa71a73f24efbe04e44ff7c84a90491dab3761d63c60ae0f56bcb156d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f774e14027e9ed2ee568dbcff064a197

SHA1
99d9776e75b82c26dfe7d5cd3b030a5b6cde83b4

SHA256
840284d42bef162d3cd67581fb936507b09a45c81aed967f689ec5c3a0978e94

SHA512
9150c5fdd6efb5a28198d43b6ee2fc0e3d7062d86b26c4c8a3660b0315d0f1d4da22eb6595ea0319406785313c7bc3e47564200f548490a84192f24d5c3fe335

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3a0c41d74990dc118f58d7edd5c9f556

SHA1
ead1a66f0dcecb0ccc84550bde2421b12525cb83

SHA256
b6fc4e9025b2fe46a9b839e35bda6b1eccb502e4c3f8e30c8dc8cd4d601e4543

SHA512
0be41251b76cb2e8efd4c4dbdfeb52b77c35bdbc5c7738e99695a81729e4b163e0c9ddffb5d338f5e48b1d79612123fd7a3b7aabd3d6582d7740d5a7042bce0f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0a43bc08b1a384947038e325f6f10071

SHA1
c51546f528c6b4636d63fe269aab56df0672eded

SHA256
9fa77ef040ab3d7fe0950d3471b4c4b05d62f57490f1f9f6a17c9167ac728ebd

SHA512
e7903209aefa929bbc6b21956c537639043d9e03d2001a2fe58b0d356197e01c703980591ad018a98aaa356710bba7cce6c0b915b89278cf7040511d33de2d7c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1d2a3eec1f2c91ed6531c7cbc3029037

SHA1
9d9994916e66eaebb67dd928053e6a14803cf939

SHA256
96b6a13f181e4e17bb7ad266b7e2d55de5290bbbaf274576c9b160cea5ad9998

SHA512
cfa5327c1dbabf11b1f98d8e2fcc40312218b86a6d275c319b9744d14f519a3acd8c3f0f198d8032eb0dc89e78673e1c4026e7082699f08a712a5fcee01beaf8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
836fc8515e3cd8d9e41791798974518e

SHA1
a445124c92a9b0a4fc10bd7e221acb8fd89045eb

SHA256
61571ea9d6534648d75b0b79348e8befc7aef858fe1e63e5b640e8e6e94cad93

SHA512
4c1fea14338c2e7556e1c46be1530d8eb7f9329f9a98eb54fc7ad8fd756c89b29e77ac94ffe6704a5d2ff070c0f08ff313b1bffb431434b9908f137d900788e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
af45e9bac3b1e2faeaf790b401db26a9

SHA1
5def3184fc47ecc17d95d49c7add17c5e8516e22

SHA256
2a9f59f2af38cca89b4c948c3a7994526280d6fc88b5d40179de771935c59a7c

SHA512
13685ccb556b9fc4eeb5c664e6877236f7f1cf3701864dc1953b4ad9923d5eb91648895a64e6fdc036812ecd6b418313d9b61831bd88162e6c5aa88c25b7e1e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
7025b92ab4dceabf5d0aeaffccb2b78a

SHA1
4c097d7f13141e7cb1fd237b5050b88e520f63c7

SHA256
7f6fa2b81a00f89ec3c954b2762cab992b2acb255eec143675bb164c2fa34177

SHA512
60ea522f9f692052f9e216d358ba05e79b0a2e790a0b8e054d1790ad00afd68b454be72476318a48492f855d2293b8a754ee1088884de69c39f6951605ad1b93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9272e9a250cf4ce8f3b0f91024ef9b3c

SHA1
8921e300c721a63724fe9f0b6619bee76cfee9cf

SHA256
fcea178822d8a6a9dd9cf394c67061e175cccd516bd62948455cf41457ed4030

SHA512
896125d8b1d279886913e2a50f1218ed9aee0f17523fd73e3b1fdda45e47bb1754ed17c4c4399b7c045b84038ed9a919bae74100eb99e5b92b9d78b410df05aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
860e0e6db86ef9819fe1e8dc96cb2914

SHA1
e337d4b635ce81e0f530121ecd619618f0c7af40

SHA256
805161c8241f7502fb19867d5e02e8a4dbf07bd1b744f447aa7bde00711ac2b2

SHA512
a07f5f50fb36fac8fa7da7b9f564d37c00d828c899db74218ea1cdf18ff75f207cfadf00dcd0ae7b31c99b1a5efccbc53e4a6ae9a03ce6d09e080ec5d9718ce9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a5a19bae89c9750539ad2b2093ba11ac

SHA1
1f01a7ea7c774aebb17e316f5476da020003e683

SHA256
0d442aa50465d7dc92b288664b3077bd2e720f1383591c54df908c10619ee0ce

SHA512
809938f8691990e38bc8345ca0be27251da138c913d6321669f2209b5b627dc60cdae310109b5ca5a8ca241bcf80a58905257919912a79b3c6ab70fb44c08520

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
53e8e76a657bb4a96ec7790c489a8e3a

SHA1
729a8edf52982db3dc811d7e194d5c98e1cda7ab

SHA256
eace59ac401a9b5df2ed2ba43d933914521adfa00c8e8a8c97747e5cc2e74fe8

SHA512
a551f19f2a5084c0f58707b8a24baa2065ea5996b9578f47bf2c1df5f811991b8bafccd437e0eb936de606e487f55ef5f1b7b7225c559494cdd68da9784ce692

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f2509036f74afb81e181f4a33cdcdd4b

SHA1
060e867fb2284b734a05b370dfafb7ca24acf2f6

SHA256
bf83a072cbd0679a5f4e2f6c86ad19236e54193e35b19b65d0e5628bcdbc4cff

SHA512
ebcca9be7a67e0641ad16a0c54957944fdf13eadab732fd23935a6e54f3eef8cc45dca7b70a6e2147f36d106c044428cafcffca30cd01c3b0a70871431edf559

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
33917d98d22b460aca219f6a43f1ca5e

SHA1
7110238133afa0d93ab2e22e0e2cad8a98f7019c

SHA256
137d73d5fab87afd201d7c7e7fe2de9d2cad9c00e0dad78155c93cb221b21703

SHA512
cf293b3e887764abab5e36953b8313ee043c87b21ef9038c15192a5b3c3583c301a125221b1f446e6fa37cdaa2feffd47d13de8bb7ec02fae4908d219657eba6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
26022db33677e28e8273162e0d163b1f

SHA1
55d9529b4966dfe1c1ddc2aa68989b459aae6e95

SHA256
7c44d0898c35e35d2d33fc23e78a36ab9ef5099a1d77905db4f1bbb2b97733c8

SHA512
614d449c80a4c16f317eb89bfbd7f7c9d7342e6e7cb771f5cd822cf719cf908be3552ba4c54256785fce2bfb891d3641b77a5eef4790a86beff2455d0fc7f0ef

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
6d33222d69fcce91dd94e430621f0355

SHA1
6c151ca53328973cdc8b2fb065a4843434dda81e

SHA256
8b8f894393ec5be640b2ba85d5e1110cf256579f988f6c719b61b62a171764c8

SHA512
63dc927e3320df32771a9be289a7d6e90fe2e35ad0a2e2e8f9bd9476c7e2f7b79e6a9e2b9a68725294f59933c253d32fa7200efbc65db2bf903575c0c22f6113

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
8d0da0e7af21a5cedcfcd830bcbe7ee3

SHA1
6fea3c92c4ecd9c75d9ef85b4aafe4135f7d088e

SHA256
7b75fd6e426df996440b6def76df9fffb635811fcf1dba45c64ab8940f8c08bc

SHA512
9f5306ad64506b744d926c8a70a72cfbb03bc318ee75e0e46f5d26703b3c1050315db1f7dbbee56606a9e17cd91692ccbabd917261b7498d7a0ee83ae75f7c59

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
3139ed44a70fbdcc07da2efc3232765e

SHA1
ca21a6b5a26a5593e153ae4af8c106fb5cc3abe0

SHA256
89ad3a3ed327f821de017db86e95c1a56e98ff03c9d46ea34cebe247302bc01c

SHA512
5458f9a87d73b883926944543fa463c577af97a6f7ee74e4eedb3e6a3f9f140610d7d868bbc715a1ea5eed2e64121ed275b04b3c992df1eaba4aecf52574b18a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b3f6fae537f20745934e428eba781c57

SHA1
9811c0485eca971df14f833b7a6b99f06241714d

SHA256
89ff4284fc9ef67d79d05dc1b708af26d62ba8aaa6e41c1776c27ac9a0827cd5

SHA512
a7063a5cfcddb57d2f5871c7f3918a4e294f0748ba0be7080269c090e73cb27a67ba3e4981ad357f6eb21f50c60431e09348aa8c0642dc83d9ed9d466cf60dc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
98cdb466f9b0a88450bab93f2256e6fe

SHA1
77ee64f49f934476796cca48312cfd093f1ad96a

SHA256
03534f79918ce06175ef7a4912ae01ac426f343965a1bbee12d75bd0f12a630d

SHA512
4860cd2e3a8f9a3c7844d2a3c7a7d9ff1d3fa675b1046375a521ac789c39af543a76043222d1892feae953238e34f4831f6f987e767e12e2fbf816e156aa16c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
993d9f7d0cc5cc9a76c7726145de4300

SHA1
9da66a6b30ec62bbb52c1c9b04f9fc546a50f575

SHA256
bec6fd3e18768721249ec400242e09b97f130bed2472a0d4718412e2b45cbd5b

SHA512
7cf66640c4f698cc26e958b8c70d3fda20ca849f0c1065ef1592d782d8accfea672ef3b520377ffaeed66784f4b1affc055b19d90a721272a61b2face3ff62f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
08d7729e23becac43c5f53291d2780a3

SHA1
dc5c18da31f391b4363dbe1bc83f5514a32d8f5d

SHA256
e515e413cad65a1f4894b33b81ad2c133a8a138a36e353c3f5619ff8060d5b99

SHA512
79a5222dbedc5a68bda3d7e0939cdc896f70d4a129b75ecef604a4a2b10988b4517339c4d282f6a056b893d39da9fb619c14a9d68852dfbd85123ea12ec3dee9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
59b5a6ff3f86fed6551a17389d5c6842

SHA1
0a6035a111f0d407a8c48ef348d360053f6ec771

SHA256
90270df484b2f0cc98359337628e8da3c8fff068694b61b786db1b513153d2bd

SHA512
106c7f17d226dc98507eab9b84e67cdf0787018f782373e7a4d3547bdc8556594bb6103016b823510f5068f3c39b3990dc4739c527a4d3d53c6f3f0eb2cb14ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
67c5ebcc3f212f7b0ee7ad3b441b225c

SHA1
a1f58f1c49de014788efaaa01aec4a75f34b3461

SHA256
cb51d721d212d1cac998e8c53fcf96c2d166ea5fe54bacfcc8f8534ffa7475a1

SHA512
106cf9ff4d86c63513e2030fffacaeea845fad56bff08250a31e613af78303ae17aa1b7b5a28225f0a1630e10d8e4c180693c59002ee1811c03b7af16b0550ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
10c53b9db4dcdcd46f5b74b09e8dec68

SHA1
0f8171b9239f0978986ea0ae11b4b2c5e4d00d63

SHA256
9684e31f4fe6bf7923377dc87d44c8c8feef063a01990ef1b0a116d0348a79ae

SHA512
04c6cda55c0984a8f5efe2bdf5dd71c904580077ad5f17b99da60b9adc896dc5d3c1b3561c7a3930253d9b3cc0e5798e06289efa666868905d8a4e8467ca8414

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c6a1884d624967f596bb694acb5bb857

SHA1
c5e526458f1ddfebca66fc797ee4d9f8eb46fa16

SHA256
21893b972f13839c4903abe94eeb15479360cb62acb3781fe36feacf24d01239

SHA512
e6b8130200fce72643ccbbd9b6dfdbb8080b3ac7e6fe59145e6e9dd576aab9d0b47c264219c92140540c305e25ef7a2bdbedebf53af50fd846f66fa60b38e0c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c670f8f24783bd63dee25d5b56cba216

SHA1
f35a7589314afd6f0b31bd5bfdf24885db3a4e4e

SHA256
83ff84dcdf87443d2bf63d3bef9b2ce5795dd406cd102a2208d9a5d5a6fbfb19

SHA512
19d70cef90006658b0b0d49baffd724052f07eda26a27b41e7205ca7b28b3a3b94c91e416f50ae3bbf17ebcf51fafaec71e946f685429d70ef13dd4c6fc1091c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
27f2e623d2b21dc1fbb54de148df6520

SHA1
a3c71aae1f70ce7eb2c50c01f0dd0964fd3e176e

SHA256
897d624e0fdfba89cb3ae9b44b60260ca117f94e90df1ff1c23a87efd2af079e

SHA512
3491e4b88e07e5d15254d0f315f526f15906e3d2d081a51815315bd391192082ebd1526c2ccb841a6245ad6a2145287adde02fad1d8d000affaf92fa5ea364c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
6d050afe8b8f47083d7bf895968d49ff

SHA1
569b9f5673c047c8fb51fb1cc8f0c2e5d1670b60

SHA256
d7ef0d930b8e9bd53102551d9175c064fa5837a5b8373681733c90b1de15ff02

SHA512
5d91af06bcedddf94f7a1bdec76c7c3055d68e197c53eab1fb33cfa1c864b766c06093fca0cbbaad6c805a8bb5e7953e286f3c4ec54d80e49836a837b26d8e23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fabcd266bd16cd1b9aee705963937531

SHA1
10db662748bba992758619142765d4aded226033

SHA256
0efe9aa8d0fa84b089bffa07a61cb0b51347a2fe81c69693d90d641ce7925586

SHA512
0a195fa0b5a2bc5eb15b1abd938d5c5f260b37cda0170afd0d45841c3d2ea96439ffe8c373c808859a39ad7021c621d3b9c949c6eb2624e93e1286c35586c627

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
27686a00b1db2475827bbf0b4b41e88f

SHA1
4e0175421efb42efdfd322da46ab1fd9c6d0d841

SHA256
231b55ef7f2d635118268be5d4c9e0285bf6c6bd03ad616be668b35b9c2d7901

SHA512
c14ba46c624a71bcb9844d147ff65e6339f83cb1be3374ac5854857d0d4d068ed8eedd089b2fea2aea0a6520e498e492c320c442a9ab30a5d01555085ba1c1fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
32438f31eb7b01f23a417a772d716b22

SHA1
f91d6fbcec7f91589d484eeeda91e5ff28140020

SHA256
7339762b1393d0b304eb8995bb84c8561d2c5d654f8b788cec8c4f8ca811611a

SHA512
05e20f7af1f45a0579b0fc85ec75bcf690609968374426c5df2ba7176220e725fcc7a9aeee7e359d1259d3371681cf8934059c844098f480c9b9f9480685c86e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f6214f0444f07252d2fdd05b51d71932

SHA1
865a2b4b4fa406be11491669d00ebeb3bbc3e51e

SHA256
5b8dcba295d645fec104151f097a4ca024fa4b7b3e82647b41c35fb8ac951f3e

SHA512
728a4eba85495906d4a751f4472414bb29db929a266025d8a5c9ed422a2afab2baf55f71dc9aac9e7a8e661fa9b56be6b1a85af0507cea5b03b0f1bae2db9ef5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
afe85537286c93bfee98c7f812a29357

SHA1
374a42f636b5ff4f78c7ea2f698790dfa317e6a3

SHA256
97f6b2641af6b6b74ac557527d5f24dfa4815a448131d9104372daead00be528

SHA512
570dedeca4531cb0da08a4141a00fffafba4342a8d6b32a6ad003a5b3ee4d1120ef368fa8639ac1ef8cdc696bd8ef1aa874dc65291595c1a56d0cb75ee5f763a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d34b7bb4056c1b0c7756246c7e0d3e7f

SHA1
28293daa4e8c2498e11f561794b7d450a7e041e4

SHA256
9baeaacf15d906d71b1e6847d7e2c2ce88a0cfe0bb1f5636953a4fde49e7abbf

SHA512
d50ca711e6bb7ad7991f0d4cbf881a7b5c21fc306ce0b65bdee9a7f5113392f23592b027a37723b98b26cded0c4883fbda080dea7faf92893d17ad32237de4a9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
87a33d4c49e5f9264dc0a3832e4d840e

SHA1
558a8a6419a8380a8150bdac905f1a342fb36a9c

SHA256
fba6356e217276f989b368dc6f6ce4ecc364fb097c8efd822dabbddc0cacd929

SHA512
c68e23c5d4c57e647a091d7e853265f793a7303260f82c9443ea2a8d013b39295ac359545fcc2192049fcd11191ad634a71f7ebbdb1e6367a4da553cc9dbf95c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9f1d1ecf36ce1b695091b888fa93ef7a

SHA1
243c756c041a8c033033977cbcea48a1e0d4456f

SHA256
0ae7a256481a0da210379b4f51bae62995ff5889892c50aa30ca4e794b000460

SHA512
cc0be0d67ab697b8c9a345d100744011251c0b8208096668a8e631da6f862c035adc5344e93e6a11ba759a5f2d755586ac24797803e9fef666ddd63ec570eb3b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
cb76eb77aa8597deda29d264c1f612da

SHA1
e0babbb132b596c4b2a7f5d3d945f43a89ea8284

SHA256
3258a138b06b2354228090da4fde22aba08294d1e1dde5db49e1c173416e977d

SHA512
421b810d0357486924b548044d46d26b19b01b4d58eceac2e1da16b6f7a6654db68c16e8a9c92b7737f640c8ab09935a5d414d2fd89afddc5a6845730e51b126

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
438cb666eff7c7858f2449f13a311b13

SHA1
58c72e7dd0448d2c8eda802b26b405eb52d06f43

SHA256
301706087789efde692996b1d3dd69dc5efec44f2073dcd994acf6b7bad05557

SHA512
6f9c8cb7f404ecaf3ff99edf6b007f106e6242af3bd3f1bce08c38a2de16413c3db3216efe7bcfdea14a9dfca08588539ede26d589675e53dbfd038be4590bdf

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
70040340162cfe78f82861547b77d5e1

SHA1
a20375efb3d0ad624af317cfdeac2966d9404894

SHA256
f4d606a18a246e75f65a8296dd92eb0b18fa275145bbe3188b8bdf65ecb26992

SHA512
33be6b54bb6fca4d6fffb00695a647d0437e152a770b1c8a09d7b6c9030f1db29276e59c60f82db7892ea3b0a52797b28753b1217e63b25446d825d19c739668

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b1de9bd9fd2ccd4358cd3c78c6536b8c

SHA1
fb785678b54443437b27c2d73bfa73d7537ffc3b

SHA256
7cc436f01de0c20b53c1104906e1c172f6b2bd917254e671810eb973b44b1cba

SHA512
a7e5aa23ece87362c25c148b0ac0456c4be0776dccc0f708481fce0e4385497daa52e62bf86cfb8d82085e1b50d32d8b0272117d31b901695d054cd88764e5b2

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
ce021377ad16b87250fabccab866bc46

SHA1
d47398916274cac7b4e45ed28b42598454998733

SHA256
97549a580a011f235d99b235f9b32e8c0f192187e6c1f4118e18df5a35956a88

SHA512
2b4269e3965335b881c5aba240fa751ee6d6c4d214371ad5d3358136d3d83d36bf7fa8c5eb354d6857971ba6512ab5b49641e9dbcacd22599a494791c287cefd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
81902c47b847ec64ac4811ed30f897f0

SHA1
3aae9ab450a830f206398d8746a69202d8b77735

SHA256
9fede1ae890bee9cbbffd062ee09c402e9e4c2e368e6586dacb2523e6edbf05f

SHA512
ff33a8a809cbb27ba3c3bcba009a882af0585c31ce27d68602f4f6fecb5bcb0a4ff616c555b347fd0069f68a016d7ce35c1fbed59b4a64f0dae73a7c54dedcfa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
446b534964d896784a8814affee374ad

SHA1
cbb77fc3f5d4821edf41261b18b5615e6ef6fff5

SHA256
e633e0ecc82367ea6fa7d127f7b367a698e8adfdb0e2fddef7fc4e62397453b1

SHA512
8c18009318fa76b1cf9e05375ebc8ed02e4125fb4f06a968103fbbf2098f6722000fe48289d73ff68a7f29db29e9ac4bb33b577092ae6119d8d56919efed7b31

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ffedbdbc6b9f50e6a5a75468faeea1b4

SHA1
93264229d9b10dca69e800a5a51bcedd5217e1f0

SHA256
03372b7e0da1e6446dc848ce9bf3c0ae64c5ff4b9c46c0f2532cee37250f920c

SHA512
b674062e57dbb85900fdbc19ec80735bd756d198568a32dae14bbd722a7cd485d1ee9da0f4586c0ee2452bdee3a4cf1d618e591dcc59be6a8bcd1720ebb38072

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
326d43367e82c7a06dd275db5243333f

SHA1
31897ea9a615bd4befc3b6ccee2d1e8d26a1bf57

SHA256
34010449a9d3ac07e5cacc6b477156520f6a0575d2afc5956b888a5c24251ad5

SHA512
f7bd6f5694787c55b9f8026de0336e60917e84729d832cf280eb24a6caa5f23e10e27f11ac5d703952922fde9726ab2bbb58902f7b44366047d5a934c6a7a6dd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6eafac5331c214a61452d10ea4a8d75e

SHA1
e47c9199c0679ccbc9068d70d1dd3ea57e6705e5

SHA256
155001cd9e7af5f37641921b2659870b241dfbff8b97bd5d29f7d11129cb327a

SHA512
c731251062f44505a184b71b80232d1c0338da6131e3fc9947cc73c01c81954b451f7fb0b4910be8883e90f6bb117c58164468a54d7cd97d754935e86acb8ed6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
744a84db004d36736527a3cd07eb7bde

SHA1
58a3ba75d7a8152b1f85f64150ec4db1a28b7f0b

SHA256
e3339adc8588441b7b368be84420f0490c1d567042837e70ed72e4b0bd5517c8

SHA512
40f8bcd551c27f1f7f173bb17dddf55598d5a48f77ced796ba3ace795072ec36ce1aeda02cfe88491d17947896492b1ab40a3408946a289d13902c5d56e043c3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6d1419a3b6c50e3225e64f1ee178f13c

SHA1
941d805bcd8886f61d263ebc903faded8aaf0a68

SHA256
1722177aa566498578516f23cddf5a4b5b7abf46450aa22d0792fc0c533b17ee

SHA512
63e2360f3e3e5e9fcf273c44b2884c93e8935cb4f43eb0ad8efc11c97e9b6ceae516f02d3aee50926e0dce08a13a4da324213dd3039d35d77ad223ec7a80ea1c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
bcd4f0dc14a162b73b71c80bbc22979e

SHA1
103b6a369e6b8a4155904db7b9afd836360f6bbf

SHA256
fe169669ffcfdb73b50ce5eeed9acb3d8cdce07168c7fa0f53459a59a90ffb23

SHA512
c9b8339681df9dff238ad8bcd90e0f7d19f02f09c18f0fb0ecd7764a3e2a4d1f75615895422693ff6dce9b6bd411246505e0e7a49b30d60fe0533ac1dd0afc38

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
1a50426dd6affd3491807b9d3780e53a

SHA1
0e0a7dba2d9a015e97690ab3a62fcb212fb86e90

SHA256
60a7c91c61b6a0d13df7b6ddf9f056229d974f49c3286333b60b61c32567707b

SHA512
a07d95a8c015dfc07974735aa4cc3baa636cb051f68db95bea48bea371144bfffaa1e4c4a25c1abc0d39ada35c9dab847cd4e7e432a6261a2a11c6aac99bb15d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d37b93fcfdd5c1041fb708ad9bd42bd7

SHA1
40752c3d0911f2c6753bbb4dcb73c141bc4d9cf7

SHA256
8c9da96e54fb1fc03cf6a76b20d9e3ccc63163d9c697773c088ec93baddb9891

SHA512
13d997c904662e0c24f8eb56cab3f59b6b17d34f4eedbc6618885c52419a8db2f6b21fcc641b2d3a8fb963cd7ef59fc06c790174299e07451791ee2261b5693f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6115b7065970a325c52b2eb8413cac1c

SHA1
f150c564a2418ffed6468381d7d8afb939c0272a

SHA256
91687b3f1406b249f5143184090b59431ba658fc8d0a790aff4974e3cc83a2a9

SHA512
bc386f06032b8dee6d8140f48b3a1203ebe99e86923fe4c99b2f23bbb1b6f90ea5226dfac199f32cd71697e05dd980b15e32edec20d186f4660ec202b0564c9f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ad2bd8fc3b11f5ec3f207fab7171975c

SHA1
fc217da39856da744141485f9786f5d65aebf631

SHA256
a8962b0987c6fa2683bffce7530b5e98253088a9f5de41859fb1b9b331046c3a

SHA512
ac61dae00a25317043c99b21b8aebd04d7578248446c81395c1f7f25296eb918908e69678a4a645c407cde43a97ea0689ac8a00a83a644cf02fd7657db04c345

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
12bd94df2a1f9536c021c7d92d35dd93

SHA1
5510aa4b5c80b554204da10bae4a913b33dde5b9

SHA256
c1ef12cf9c33cd25a4a3406e230cd5fe0c49ca628e884f52e9fe6efc8b9e481e

SHA512
1c9c8d91be1c8605c482525b5b4bbd58c149f5b59b6b72ad67d8c242b3859207523c61ba9cb5cc3fc3d44fcd691974e22feb340637cff0e7252b01c1da3c0db7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
060c6128ce9f4ac7ce9da2c62493cbfa

SHA1
c723b0e02d8d64bc7d600e40cb4c4213f7d6d8de

SHA256
4f3f0fb0e4fb1add3fe236d64700b098357572a614d97ba364726d841aeff4a5

SHA512
ff56712d905a5d8ef3bf4ee8d5e163f35c9d3f0939ae5d592d9fc835436b3ed6903697d260169932dbe0f602de169c5bf90436d5ca635eba352d61c6660b7ae5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
137eee65a8723d5ffc1e2f828d5c07ce

SHA1
8a734888ce12f14debacc0f811c9c64dc25a5cea

SHA256
53c86a8abac82b8c1b6352a7ff3356220116024204acce8057721c86e9337c19

SHA512
35e86f31ef0e7eb6096bed3d564a3d9ee1e680e738a75e489b29d320728f804f0d3e932ed2a367caddc14dfe216f8f427c153c55ea5a96d75d7a7f4822fae8c4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d45b078ace3dc62146538ad679ff44bb

SHA1
bc7758b859c97ab44491f4b861f2eaa1b8cabd6f

SHA256
81d8a6ff96af8d88fbbeccd52c079e109b8e6bfe1414a1c95ba8765a4546fa55

SHA512
2738186057cf90d09c3442ee3d5bfd700164d236d0e0329ea173a576529410e07fa73b9aeaf3516330bc1e51dec501b703c7a7c2d64e5be1680d19fccb9fbeb4

Download Submit
memory/856-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/856-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1056-490-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1056-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1448-84-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1448-75-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1448-81-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/1448-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1448-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1452-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1452-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1452-49-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1452-45-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1452-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1832-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1832-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2076-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2076-634-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2076-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2580-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2580-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3296-635-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3296-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3512-642-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3512-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3620-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3620-645-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3908-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3908-639-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3996-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3996-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3996-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3996-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4208-646-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4208-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4308-644-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4308-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4544-91-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4544-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4544-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4668-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4668-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4668-128-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4668-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4668-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4780-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4780-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4784-116-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4784-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4784-19-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4784-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4784-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4804-173-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4804-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4804-58-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4804-52-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/4864-638-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4864-198-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4988-195-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4988-636-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5080-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5080-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5108-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/5108-7-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/5108-1-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/5108-89-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/5108-476-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/5108-478-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download