ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
Size

1.6MB
MD5

de725165fc88fa2c91e971931c34c217
SHA1

7cb9a0f58e72b7e0d555b125d4d83eb051274a9f
SHA256

ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677
SHA512

f0e558bbec5da5ccda41a44d4a114d7834d74a5e81d1eeee3d5f167437793c7eb3260c8802d20f0cf3af1cc88490af340e43234aca022914bb2aa87c1a688df4
SSDEEP

24576:D5lB2hkhfvCpf2fTf/SkQ/7Gb8NLEbeZ:Dl2hEvC4fTf6kQ/qoLEw

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1920	alg.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
536	fxssvc.exe
316	elevation_service.exe
3444	elevation_service.exe
1056	maintenanceservice.exe
3576	msdtc.exe
3960	OSE.EXE
2220	PerceptionSimulationService.exe
4404	perfhost.exe
5100	locator.exe
4416	SensorDataService.exe
4720	snmptrap.exe
2960	spectrum.exe
4700	ssh-agent.exe
4796	TieringEngineService.exe
3632	AgentService.exe
2448	vds.exe
3732	vssvc.exe
4436	wbengine.exe
720	WmiApSrv.exe
3888	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6a03c099240c1bce.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\System32\vds.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\javaw.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000066802314a9e7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008ce90010a9e7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef395b13a9e7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000790c8410a9e7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000015b9210a9e7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe
4704	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2208	ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
Token: SeAuditPrivilege	536	fxssvc.exe
Token: SeRestorePrivilege	4796	TieringEngineService.exe
Token: SeManageVolumePrivilege	4796	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3632	AgentService.exe
Token: SeBackupPrivilege	3732	vssvc.exe
Token: SeRestorePrivilege	3732	vssvc.exe
Token: SeAuditPrivilege	3732	vssvc.exe
Token: SeBackupPrivilege	4436	wbengine.exe
Token: SeRestorePrivilege	4436	wbengine.exe
Token: SeSecurityPrivilege	4436	wbengine.exe
Token: 33	3888	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3888	SearchIndexer.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	4704	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 5480	3888	SearchIndexer.exe	118
PID 3888 wrote to memory of 5480	3888	SearchIndexer.exe	118
PID 3888 wrote to memory of 5548	3888	SearchIndexer.exe	119
PID 3888 wrote to memory of 5548	3888	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe
"C:\Users\Admin\AppData\Local\Temp\ca24644a6d803e457a503653778756aa2edafa76ade2b2b449d24ab419ea3677.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2968

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:316

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3444

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4404

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4416

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2960

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3732

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:720

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5480
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2708,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=3840 /prefetch:8
1⤵
PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
71cf92e68312dde3c051aae1a7fd7d32

SHA1
92f8b41362196f990c2c3e30ecd8df251086d551

SHA256
9942f84a6b18c8c9af0f1f98d6db1165630570fa2a07f0f90ce1a997b847fe44

SHA512
a8b38302cc75e5d66c9ff4b4304d71d75a005a1d006d890b5430b0f31c99f7013ebfbcc95c8b7d9414142de680c09e56096edab46aa9519c33063d65cfabfa0c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ef76703c6220f00524663a3d6524ab94

SHA1
44d9e759224d69a5518295e36f9fb996c38e185b

SHA256
77c4b0a3a98b4188aa5118373333bf2d83c7c00290dee21e0c078ddfda5caa80

SHA512
8bfdc7c153c93b3e6c63129414c45cf2fed38a567e322365d9db790d154561e7cf6d539a6b1ca4f1f33bd3d6573a5400e229812c42f312b8b61993aede9324f1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
9eaf7b301d8aa902fce050f284920989

SHA1
016c786d10831d971f586a7b421d6f1013cae367

SHA256
65bac310b8b778535243fb4d5d679609df753277f1c07abc2104d6d27c9ec17f

SHA512
374fc49bb00598968c94c10dcb9fadc99b3e09c6d934d47ceb0e8a4faea257c461f7046d92986a771abf69880804202c80af6ad37e90c34e52b863776b0d26bc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ab3e685bb394b1bc1cb54c280536d04d

SHA1
4960ce555b69f6fbeae3fb02f6b918855598a18d

SHA256
438954b0064317927f9a81782f35001ee31bc64c81470355418e9c24f576f0d3

SHA512
cb4b9248841cd3a5398cddece74e9fb2b469bbccd6317b7fb03df0078fa3912e8b6c9b9185be485b2ff1fe8b720b9a45320dd7ebe4fa5fef66be85227dfb2841

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4c044e97cac8718fb4219ea52080d85f

SHA1
da684904fa83e6257edd1b33b5ffb297c4feaa89

SHA256
50bfa49e6128d9363acdbb8aa9a7408ac0f01e7f7bbc9d741e019a7aca0eccf0

SHA512
ad254925618b29089708b05ddcc738ab0427c3676140d5ae5c71e9f9ee10bf03113d04cadfe5f5e69d573a422857b6a026f439612a23b1f66455543c173b4bbc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
28f04235f6dbd1bda0f8c4a93e883353

SHA1
b7d5f9179ea0621c0bf459e48f4d1c5344548042

SHA256
25c9301a1b88dc475848df8401040cad8e6cc0f83b2680e5dec75aca051b9042

SHA512
58c687e8b586f1a8d4340b45e26c4bde378919aa9e940521522ce99f6e73425486568a96d36fde46dfd921d041c5e87f774c01a59e4fae1cbcd2467c7cd52c8b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
734e6b4b5c18cf17f756a754941bf4fb

SHA1
733cc41a1d546dc0b181440095401ceb278b71a5

SHA256
2da78de44ad7d495a9403da93f0a96a6a31cdcdc428f75dc6336deeca50729ac

SHA512
154dce9f4dd4a0a91b90a8f70e0406863833a18595ede11ad229b30f409238f6bf3377fe26ec28553d036bf6e7236c9995f13708f50e8efee71a93ed54a179f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
55be7b0424b774d81d485baff8fefcfe

SHA1
8e3a6bec1243008b85aba9c685e8227cd6b3a62e

SHA256
26f903670b6fcfaeda82f3cc03cce5f9f88320a5e9389c0e808ce941552f0144

SHA512
232f483c242f6bc91f4184d07922d642bef0ee88121bd3a0b0a1c5c21f536756125303d7a2fb21d2c97cb7cab3d0f26fc41ac52b42f5e98eab8b968868780d2f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
8ad63055c2eba05128ef5ce7777f36a9

SHA1
26430d692ca6b1f350af709a9449cf60017acfc7

SHA256
f621d2b10b9ef717e10c7f2d051684ed9b0f5282d7681fe66f5a8b3e662a813c

SHA512
86ffe94185b6ad776fd2a9ee327e90d15425e8a10de223d98d0b024ba91bb5abe5af27fa8c3da5f06519a97de57a754285aa866d20766b35adaf7c343febd9ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
666e814f537a7aa1c23ead24731e45c2

SHA1
5cd2bb01724270f09933a8591671581371ffd197

SHA256
c4e9082eb69f0314419050f9adc67817ab06b027d20e410eac7ae66c46b6d924

SHA512
ac9faddc7ece496d27dc0b483d58ffd1777e744a2af59005745aa4878187104abf0e224717211be9815a083ba9b60b702b18da1f29ac143a99f9a4b26fcd37f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
98df716c76ad0d5e7a0a8e28db12aa46

SHA1
2675c7a35a4e3d604e2b32711c482e08ece7e7ac

SHA256
5122539bab84f44ca9204500a37424e27863c99114c28ee55200aa3273693155

SHA512
a924666b89b4fe3c0e47584e0f22724d596b8e4748c1fb30fcdac45ea58a896eb2d5bb44125b51596c18530d7d54f9a03e597d1fcc0a75e7737c96e88e74719e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ff81ef0e21a4626a8dc1b49895cac730

SHA1
b1dc28ff7fe611827330f6ad8c2f6328a66ad131

SHA256
3d91483943026a970d3203423c14b965613f01c8e1272f3a51f0fd6a49570f8a

SHA512
742b6f844b9d90a86b1dd8747d082d87f3979578b52f6648e723bdeb4681a1daf59536a6036006859fa57a85e2e532bafe7db78bd99471471a1bd1a1a9ff7aaa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d4d17d018743eb50bbbbc8af94cdd4ea

SHA1
df49df96afc5013e54c7478c894e631e2be2d276

SHA256
5b48175cf9f4325b97c1c23c534736b5a8f26f4abd94ccec63935e4aff89e38a

SHA512
5959db08255e2754a23641597975751d930c81655ea0d1003cf73ad2a803799beea9184c4a713e378e0e42ba5cebb80d78aeb650a79cc5d000cb090c44b04fe1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
5504b5af30d7c8f0493987d2b697932a

SHA1
c2688daa2161440bfddc1aaa735c7bdcc59343cd

SHA256
7e7b19d22c8adb8779a3667ffe2cd7b1fb07fc2cb3b9aab7f92df6c69a9b4ddf

SHA512
b291308db392757da0ad98577ef51b3a67a23cc8fbdb1d3b9b490e7cfe6b06ca3462eda882a342bda540ccc7233e130cb4480183225d480d1f356cbb7e9ad0eb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9d2f91f4a26788893349629d2966471a

SHA1
01638a23e507f351cfdbf8e319fa8914d0271dc7

SHA256
495c00c09f4b8f2d62ca8feb742eff0b07dfe4004175bca7dcbdb5c79db1da3c

SHA512
d4677a3fab8407427e0553c053aa2e981ec060fe957e7351e92a42a6e4aa43ef4b71bbb9f69a4f4e7f1aa7770e321979114b133c2a7e17eec7adaad4a831f8b8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
fc955140be55020b45e60a5a27f8bab9

SHA1
f06cd13e670916d26d9d2dbc865574cb5e6c8a78

SHA256
5e1ba739705c38e12c0b912c6902d5e497335424a424601810fee84f8c432ac5

SHA512
56b0c72015f256e99e812e3157fc8a4d5adff9f8ccd58174f0da6e90f4e2d0fdbf7ad8a6593906f2c03520aca0b1fd01b8bd2f86143453dc54af5451bb331a3f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
57989339172364502e3a0b8516c90407

SHA1
c4f7472694e04b5585e8981bbe0bc5933f3b840a

SHA256
cba67b4b2c11c9b5d03a59d07e16ddc956c78d0175a743e5e76b3811b2899cd3

SHA512
70fcdc41759b72d5b7bd1597a35be6090c40eb78a388913afe31b623688b0fd4f24b18e4708cfee2fc5746c26d6a7c6edcb477ebbd021753c1df5e4a73662785

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c3ccd910659c1883829d20d81b249c4b

SHA1
ab613687e19a895eaa57ed2976782416f046b27a

SHA256
87c53d9200330e944851e6167e04184192257c11c3598136b321cb2d5bee279b

SHA512
7e31d3469c4b3b8a3f8d33bf353df69976b55558ccb00d3135200e567cfc9fe3eb84395aac4d98be5ddfb852112f9c31e0a4023b87939853684b8fae2f302e0e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9ed4a5805800a19008b6d0cc92ea1d37

SHA1
346ab09cba5cdb5eef836e5f534bc0311d98ab23

SHA256
6b1d86d5a19c61031422b1325f8405c3a21b99016acc5cbd5495ad26a1c8e3fc

SHA512
3d40ebc684324f3049836bd0b84ddf7bd4b4cb4a481f1784b52c530201486f6186a261735e7c091b3d01ad6591f75ab44828c1a5817865ae466b5b97dc4c044c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c4807d891ff9d12e7483c176b11d03a8

SHA1
d0a1028e81351ea680e1ec549b2ab14b04211ec2

SHA256
55d1311b7ef87de6c12d125b5b65b17b59cb77510078c2404da71a2777fbb4c0

SHA512
2e1e11ac0dacb3dc327be52dee8395cdee9c30d0d55b42418c20d971d17eaf01e3497e4840e0bf28c8fb6f7a679ca9b9194069906031e7bc1595de9c03bce251

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
8bbbba1d9d78c6a0354705b3e32ae088

SHA1
e0cd95e72751df0327d69ecc6d4d5d0a1467b413

SHA256
153e7fa0c3d67ebd518dcd0d90a9e02c782171f95da78b6d4960fcc029ba07cb

SHA512
ea3cdb1214e99cb513e24681696791355b6327f17bec33cbedde25b57530595d8cb5e7c19c94470a31d9ce08ae62346ba65669b5a2d9df5fa633594fdde0604e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b76856c4d08ae9bf540a3d22b6eb7a68

SHA1
dec411caf550154f109c90cec9551b6670a45174

SHA256
5b17b0f66d3b1a04e864cd5175520cb948aafb0ce816f8e278e118518b36ed6f

SHA512
28555b9575f6e948b6ab5d85dd98e5b185392ef8afe08a4d6a309c695ae4fecf014c6766c1f6d6275dcab97a9e10eaee4bcdc4fcbcc9f4d6aa38ef0cc6b2cda7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7458584cebf6b6017889ef103ed75ff9

SHA1
0cd598c3a47aa7a518bd42a322e90aba309113de

SHA256
07b28d38c1f83013d629d4b9595b82b86cb799934ce84997e97ef2bef50f9817

SHA512
2290cf912a8e0bb0334af2b5eb568951a5c62273f206dcf14de8b9f136ec33db92f505b635c1ac91a8d4804161c00ba8302c1e3b1024b610891e302ac6096370

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
76f21498a48bcda46b14ad84d63005fc

SHA1
d19d1b1aeabb1fafca46f1bc8a6f1c8acd402db1

SHA256
3a7b5c8f7da0cd40d3cb0a14d9bf602ef91684cda0877c7f383f7b6523ebe394

SHA512
e7eb8027344467efb720f979c7cf6221b57847c69952aadb080a3b94a5fbf46c6b6a81475ea912413406ec948a08f46c66352c171b4d950a3d697b686add5576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
d96a23c75b43abd4985c45dae9e6efe8

SHA1
f5cd15712072b5c8d3669fa552a7eaa4111a1881

SHA256
ce06637e9304ae02aee63f81d27345979fa079917a373488aafe29fd9f88d5a1

SHA512
75d897691f2c4b6aad0643e0c3a0f6299857966cc1d82ffa9e53bc5d059b208fb4dbab9490b58d162a15b1a850638d0f00846d4dbab0cd6bc6a069ba84553bc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
035cdade61e6caac6983c1da97547025

SHA1
3dfb3dadfa9cd7a2a9ca3aa40ba030c9ca9043a9

SHA256
e5cbcfd8c3055f7ce0ffe1e124df2495c94e173f3b7bb855cfe0b087390a2489

SHA512
f754018003310c89ec8dbc2519baa92d9fe1d989b2e45dd3911f4a81f9ec9e23edfce44366a676b6becc69974c38e67ac79d9eeb20697445a97559ee1e44c1bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a93b79b19660f74fcc4d220a66a88427

SHA1
1bef8f18ad85868b59b6ee354ad8af53065f80db

SHA256
ccba653734e764efcd3752018d8e31a2615e163bc9f3be0c92ba1254bb960564

SHA512
ba1765670aa9fbf66ea7e5db423776e5219d9266fa1c3d4d29febfdff4cd1d8d3984d1e5f73721a100ba4742f1c427c8fb6691e2669a0ffd130ceba4933a606b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
740d003bf375243cca979882b5c86cb8

SHA1
f95e952bb622147c990cc6487f25ebc515994cc7

SHA256
030584d1f0b506ef88a0eec6852af1748422d775a5f501d4e0157cc09a1dbd5f

SHA512
d5e64e64efcdf97cf5f0eac3dbd97198c7ccce57f330d9947304e477288c907c48d6991cc27636dd52f694fc4f2c770e47424aa59a1063baa95072993133a11f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3657302c2e57d6f9ca03f173d98370b7

SHA1
1d4018642dbc3bf6156ccb3a5936b622144286c2

SHA256
ce289e5d8b30fa5fa29f3fe0e94dd64948552fef7bb63d1592d035ade128f899

SHA512
8de9f05994b559d3eabb82fb73f5df51330ee19f13bc38d759d9946f8b8237bbc5f8fc28e9581df12a782911b23c652e28c1c39f2ec1c3b7008b6c4e704991ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
922cd8774cc328c389e6c1fcec3574ad

SHA1
b30f97c690b7f92da179fd4ad46798d5f6febfcd

SHA256
c718660d8bb6acf209d3e02452eb63c2c03127682012c569dcdfc2d709ba29a2

SHA512
7da0bc47ce3a865ee5a119f084dd6b10b10a29dd8f92b87f399617270b6d2f9dc3a7822d118483c0c05b4a7cec6b6d5625c60456debf4f1f7d46c81900868b67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
fbe696ae559600648fb1ce80e1e01a47

SHA1
0e492f3366c07d828e17466506496bbe01b5b9ee

SHA256
6b606e69dc769c5d8fcbc7f58a050a7dd9ed9a0fef4f10e0d74838aaf05547d9

SHA512
dfad5906de8fad5c991fc5dd30a0505d963cffd90acea159ca22716762b425880990e60ee97975f5b099473578ea28e21a31cbfee8b84c120171af6616430710

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d04e263fe6d71b647d689f94211fa46d

SHA1
640fe437eb2e2f93a427fc86a5c70c9ed5053b93

SHA256
71ee1db8f28a015292bc48e5ae6a44eab17c14900f2adf7714c3288415f1ceb8

SHA512
acb8f1e3a9359b6dcde2b9ade20de67571a084f8c41d6c2005eb7f250faf682bfc042aec3e74e9cb6174e6871ddea1f5d658e4d028ba1fab06f5d3297048ad59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
5ee495592c365e2d835c621b309c9b9d

SHA1
9f537256fd37a6526657f32084a46181ab5ac477

SHA256
cf065dc7c8794658a73df7f32efb2896c1dddfc8615b14bb988c5f633cf81b8b

SHA512
1d12bb86b8f2a8f6f72fb404565771ef456201acc6f550a16e5a1dea9602e1ea668776fdaf53bf23390a05f107c0f855be15c108ceabf1a27ae21c203c08f7ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
88d3c10acbdb7c8371bec7494c5cd679

SHA1
d2e1ee1e58efb73b2f24f00b4313a6e3e045f1aa

SHA256
9e83a0e6eb4f7e23e1edffb5deffbb29688465dc39d50bd68a71b1283c1cc19a

SHA512
d4ca2769c2fcc24f084223e54df5737f54e7ab775edb047ce143bec8967c2eb71e63efe2c84014cb87d74efbe4afc91795012a857c2e428088000d578e6e95df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
302c131d7b98d2a2da6b78dc3899110b

SHA1
2b93bc6f0b1e27707c30dedf4fafba2ab9a8b1d2

SHA256
1dc74d19ddebb29d2e5f9e952b0efd6b505595784f37cdd7937afa9dc77f45cf

SHA512
c4b8ca70b3a4f2cdf790ca38e099b921777066665ff165090a923b263f106228132855562f1fbe35c1df8f2eeb874f7c2ca3bf5eff55a683dbf754e9c16ca098

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
148c0a9a1a3156b2928919b41e7020f4

SHA1
011d4d44edfd30ba87b7c1eec235b3da5954f51e

SHA256
f95eaa7b37d5007443fd4ace14e4e9b63ed1ce22a64bd2d69977d19605c1d23f

SHA512
77c0347d037deef71d8f3ac4d2a5ec178906612b54f23e7d60175c353a991864363cde737f0804badee36002c59c1b420ed6b6c1fdf30dc9ddff6c14fae4646c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
5970615a827cfe4f1b3659ed615f25c4

SHA1
30f53ef697ef0241f144795169dfd9add408e7b1

SHA256
606e11c975a6bb2e3d1894242a807f93a381217a258c25ca86a3fea7320b7f9a

SHA512
d9d56c8d2d059e7413ff223787679c348c214894c5394661b6aab9c26ceb99a2674e3a8a4d67ed5852426f64bf75e6d65a58e54099fe1cc24ea90fd9d90833d0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
68abed3bf92eacf0c9f849627f9dc5f6

SHA1
4f91417b8204fe291a2d96379342197a4c442855

SHA256
31a476a74f5278bec5636d1cef20045c08211ae1cf789714784d9ca449a7f444

SHA512
c5478933132d5dc44d61aad84edf36b49a10c48e9e4a5cd1f4f0944583b78cc9874a5a6ae9ec035b8a6c8bf86483b3cf0571dc71f46447a004cc468d6057ee28

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a2c787c94d2b40d665786d4747ac8bf3

SHA1
8b4aa506b6c1ae76ae17c97d3694148f86a062ac

SHA256
b6747f028f9133b3d443e6e64609cbfedd05ea9b3f22a68401c5299dfe69b287

SHA512
e8f415880050323cfc7f7a4430d1ff1dccef0c0a712d0c5682414d76dd93d8599d3d6cb2e46a93e3ca72a2fe0f87ff89e1e8057eb9a2d139fc5c7474af03b441

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
65e00bfc83e3ef8d8cddb7d894ddf4c8

SHA1
cd6c91e81184a732a5f556a3329529b5cb02727f

SHA256
e54db16dfa1ab24c8303364cc6dbda5dd3e537ede962308d94210e68a674d942

SHA512
79071bd3e1888b1f2dae0382cb46ca5c1cd3f4fec9b981f2892be0b5ba83f0350e4c9a8a89fd32a93c0eead398f406201239acc38bf28d93b8f65d9bfbafbbdf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
65c64fe3ad37f953989994c1e857ea1f

SHA1
058a59079cf1a3d8d0514652cc0a39a4faa2ede6

SHA256
536c178b34e7a7259793f3d3e5cc7a2f480c1a78a9cf9f03fe1506516924900d

SHA512
0b38e8842496e8d30bb2f56ba795cd9afd7792fc09e10974ea2332ec0f3dae9457b7338db539a7054c12e1aaba6cc31c6181c68dd74f23d6f952f3b2f0293cd9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
f8a10b30c3e3149f6c4da5baca9bdbdd

SHA1
e8b0e43d0bea2a80e03bf25431c2bdc92a5dbbd3

SHA256
f62e22a276660e7d5a06aa5cb11ddc92f3501adb599265fbab933e0efec48f54

SHA512
8492f577d23babaa100f38c5d3da8e9d8486a2871cc12cb82c4d92edad4b125b9fd703a73020b4061bb39aac390acec8a238d989cb756d84c9feaa2fce698ea3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
898b5ec4aaf24fdd061a41a724d96c23

SHA1
1591cf536e8ca67f0c7d7eeb0546bdb05907e850

SHA256
c74ce43e7790c48139475dc56fc4d15f790c0737393669b419f81dacd3db47fe

SHA512
e6e8079755334d558646fba8fb3b961c2a7431028505e9bbce3637c8f7f635933b3e242dc2489dc5f354c34a34f5abdff825ef61e4932823628b6449e0327587

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b9a658803e81e71e2d2d1c57c75714d2

SHA1
07c1c8201ead1dc2f5a09a9f86665964965da232

SHA256
1875383327aa13ca91f72779c1d63a0bba1552ee397cf55dd66529633f1203a0

SHA512
1552fc8d7758dec6f4a2744171b8732bb850726d128be77b32361cbe52ff0031e59ac99a8ca5ccfad6d2787727089e98a55c3d05d3c55c5deca247422052293e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b0c8c8419bf19e1aca9384d12c0493e2

SHA1
4eaa25fe34d110003df02458cbe6e1da30bcede2

SHA256
8810e55c72a80fad825b2b7d8631f0fdf6f24280c2f2675770ce97cdff8d645e

SHA512
f7235e8e870c731900cd2dab4d95eabc96e98a83991a157f4e8cc3638b9f4773c07a4ae0a13a350bdf3dbcce947de2913228cf89e7562e0651b77f8ce8d7a050

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c1fc9068beee3897397d96b5d7e4fcf7

SHA1
6f265a79912e16b074f208eb2b8397c3fd02cb0b

SHA256
de6afbb2a9671fecdbc3f119901faf72ad07282874231581a8ed36845f285440

SHA512
4c8fa6a147f431f215cd29554d183a32796c64a366685949c0c1460635ad2b0d6ed586bb846344e83703916ab4a03e5160acb22915c2f319d1ad55ba87a0d138

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a30424bcd35062cc0a80ee74129b2ab1

SHA1
a3fec664972d62bbbb28f734aa08bacfe8c42237

SHA256
34a86e57e44cf809b8dcd28c8da0f1e0ca5b1bb35d2857bbba4e0872be2e0a27

SHA512
07e835255a76eef2b69973562f771edad3809b16528442e19dd81c9e9d6a2be432f8cc05cdf1bb7c56884d0a11de55afe0cf6868c98c6f46d1b6f8b0b84afbcb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3b667b8331c771088e20e7b310eb6da7

SHA1
68e5ae506f0b704629fdc92dba380fb447be8db6

SHA256
eddbb51e962a220cefc7899dfdf07b613ad8c58f78d12da0fb2b5fff45baf14e

SHA512
326e4595b5c8a75812d707f8d3e5bce72ec78e52d3a9307854789f3571e44c7e6f0a9330a6f206d88a53f42563146e2c4b648bf26c2eab65ad941cd38f986d5c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
78fcd17b523b4be01952d8f53fed6c4b

SHA1
413b839bb19c9ec82964703987bd50d46a4de4d9

SHA256
6c44903036f807c57d83370c752b5dbc383acb66db02a362daee49c50712786b

SHA512
fa3dd3fca5e33d4b71d29f034b1d2a6e9e9ba79893e4ad1d06910407e2222d2e3443180ca4cc8469a8d702e90232a2e0fd81c223d8513c511973683ac76db9bf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
30faa425cfa69c53925ab6880fcfc00b

SHA1
b9968c1a5424e2c8d19e3758d8f65971b5b58f20

SHA256
f45ca7d362f13901c87929ee27af91792ab2ef0a43642a9095c6d985771ee3c8

SHA512
221f462997aa1d1d08026277a5eca9c3d66f93a5c7515fd263c74828b72825e2d4ee03a6352f05ac8519ddcb9efb67a4d54ad342b1387ad3146fc5d2223dd9ed

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
204fc84d8066d334f205b9479d430e3b

SHA1
85aac176c68b022274fdee3eb4f401b0dc5ecaa9

SHA256
988a33577104d8b7945ef38e2688cf578063a1ae95185b6e0e01670bedb79c22

SHA512
e59aa9a6392e02ce07b5627e1c1ac2686cb416bbe35b20a0b388f69dbee6cd9143406d01a926daed5755d3528190d5c590344b426ff74f143cf5b76fc5fc63b8

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
5473e2f3b080784a024d3bfd485401c7

SHA1
57f0287536d7f6342c3ed6775f90e1547893192b

SHA256
dc79308fd937bb4148e2f4424a91641f725b06f22228c215138a5d02883b3830

SHA512
12e9e6775a9ee26bad9681a762598a256e727a58625c97d35f3b711b6f6cc539ad55d1237e8ed20afd63085303818b6a7946c121caf87997ece1afe82968d724

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5b20577aeddcb4def5666883f6512f3d

SHA1
8ea9b5e7f982e420f822233795268d9049bb5c13

SHA256
046a082a192d51a1f279ee59ed1e0880612bb93243d1b2fa537f28a8775f79f0

SHA512
df128761d4fed83d54cf43a289938b5da2506485ae600d14057b107051f5741d14b5766098b25f9a750515ac23242a37f9724860fea0bfe95e2efaa832af1c3c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c38515b02da5cf9fb8bc4b43f8f57e8a

SHA1
b3006b1fe25d933ee7070019f20e74add7bc05fc

SHA256
add7ebe47697ac7bf1814128388cb3f878216560f235b13c1045a887283e5a8a

SHA512
5e904d1a20a36b5ff6ca164c74bca645f8889e1bd7de2b4e7a6f0c39d9f11688f84323d5a3648a5c13ac722b5a3151ecb1b663cd50e893ea779ef2be8ee12220

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
676dc5d2db6e1522d1361046d3a2848b

SHA1
0d4e0755b0a4ef514e946b39da68c66ebf717fd3

SHA256
13a1b0297be2b4fe5efbd42f58f91ed83c2c1920d2a56332a65f4b91d1140833

SHA512
ef40d7f96a3752b501b510542ac12b45c40e04f806e617f613f755296d2fd00143afc039a2972bd4854293d713059d5af3253dfc5b54c193a1ac57f753d5d8ab

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
081f8e2beb253d31b824062b11a4008c

SHA1
87ce66e8a1158303fd0a6aba60fb87d9a41f684a

SHA256
d7760c720c002fd3027e509e40715b1a08f98d497d09e8307c1d1fdcdfae3c49

SHA512
4f64108809d8223a17bd5914759d37972016e3a3de57a7c6df145c9efa353cb210e8d8d901da85eda0b57c8e244f9660ce0b3bc0d871f89ba1d217f2fa8b24d5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fb021f3216b50eb68de6e1f5882ecc60

SHA1
1cbedd6c6e5444bbf5bba7202031c02965d0f28e

SHA256
0c9e19e01dbb1950ae0e60bdd79729509138b73df3022783cc00c9a898437335

SHA512
6c83aa0bcb61b1c61ad23a90eb1c8e105a5e1d317c1c3a8605e5a99c473ee29cfeae5dc51d17c663c0f20a340d220bc619a2f3d9bcdd709f3bfadaeb78de735d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f0920a75f09c909d8691187a01b31158

SHA1
1dc0492fe5477a5d772fe281769a9d7b2a02ad9d

SHA256
01065c5f97f5a855af46ad67cd01720f907e10f999f85eb66f4e58753d61787c

SHA512
b74a10b41563846fb73937fb25ab9580909891bcd8bc6699db6174f59216841026428a41954d213b8ee76118b4cf32e74b3f38871d486f2f5a65eab76da0347d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
e92d2b24ed4c73c193a7a848cced94c2

SHA1
d4644dfe2ab1bd3648daee653a56ac73df21d04f

SHA256
a220bf34d4671810cebd4a0955d2e90bb7d3cb37bdc5cdcf6da0a591092d5d11

SHA512
f508b4f71525c935d65ed346af42a8aeb5c0908967578dbeeb1ed28ee655ef2d6fb962a02791e8695c8ee280d8e1f134952eb0e1b10159a0dcc1f3b299a20c88

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
1b148b1cbb4956a2b7aa3e20a7cf9d32

SHA1
83bd10d25638c2ded5fd134230c49221aa7d9c9a

SHA256
51791d1633d049392a6b5d92add7ee480a73082dcc7bf38abe109a0e0d9309ec

SHA512
568932fcb5f6f5f939735e24f609969f25141089c18130553430ec4f1311213abd22fdfc8c53dfa926cd72ab630eee535f6284b6dfd06952c5e3a5ae4b7b7d6e

Download Submit
memory/316-48-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/316-54-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/316-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/316-597-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/536-38-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/536-58-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/536-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/536-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/536-44-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/720-274-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/720-602-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1056-79-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1056-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1056-84-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1056-83-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1056-73-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1920-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/1920-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1920-429-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/1920-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2208-0-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2208-1-0x00000000022F0000-0x0000000002356000-memory.dmp

Filesize
408KB

Download
memory/2208-6-0x00000000022F0000-0x0000000002356000-memory.dmp

Filesize
408KB

Download
memory/2208-259-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2208-484-0x0000000000400000-0x000000000059C000-memory.dmp

Filesize
1.6MB

Download
memory/2220-262-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2448-271-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2960-268-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3444-67-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3444-71-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3444-61-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3444-600-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3576-260-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/3576-88-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3632-204-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3732-272-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3732-601-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3888-603-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3888-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3960-261-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4404-263-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4416-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4416-524-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4436-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4700-269-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4704-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4704-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4704-33-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4720-267-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4796-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5100-264-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download