7d9212ca0bbd4533a1cd8bab03128563eef447cbdc5196788c48cf0fc70753cb

Analysis

max time kernel
119s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d889682ba37720b0a7f51743c0ed4740N.exe
Size

1.5MB
MD5

d889682ba37720b0a7f51743c0ed4740
SHA1

440d7656f33284b8def423e0d5e4338e0cc34521
SHA256

7d9212ca0bbd4533a1cd8bab03128563eef447cbdc5196788c48cf0fc70753cb
SHA512

29e7f4ec291c424dd49adea9bb178568d2b45b03b9820d9f85b9b1215a23c4f0857a8f052c066fd19ccbea4bfc1fa886d0b8961f0daa7de6d7f56c1c3a09312e
SSDEEP

49152:wDmZio+wLYxJYIJTcIU3fWbP6lFQeuwRh7IfbQT:wDmZuwLYxevEe1h7If8

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
436	alg.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
1952	fxssvc.exe
3300	elevation_service.exe
3912	elevation_service.exe
4388	maintenanceservice.exe
4424	msdtc.exe
5112	OSE.EXE
4800	PerceptionSimulationService.exe
4172	perfhost.exe
5060	locator.exe
1340	SensorDataService.exe
3548	snmptrap.exe
816	spectrum.exe
796	ssh-agent.exe
4600	TieringEngineService.exe
232	AgentService.exe
1920	vds.exe
4388	vssvc.exe
404	wbengine.exe
1932	WmiApSrv.exe
1396	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\88941cab696f5a03.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\System32\vds.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\locator.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	d889682ba37720b0a7f51743c0ed4740N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d889682ba37720b0a7f51743c0ed4740N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d889682ba37720b0a7f51743c0ed4740N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b66cd7a82fe8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f558e3a82fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fc1faaa82fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1ac75a82fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056f6e0a82fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f12e1aa92fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aed8c5a92fe8da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe
2676	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4820	d889682ba37720b0a7f51743c0ed4740N.exe
Token: SeAuditPrivilege	1952	fxssvc.exe
Token: SeRestorePrivilege	4600	TieringEngineService.exe
Token: SeManageVolumePrivilege	4600	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	232	AgentService.exe
Token: SeBackupPrivilege	4388	vssvc.exe
Token: SeRestorePrivilege	4388	vssvc.exe
Token: SeAuditPrivilege	4388	vssvc.exe
Token: SeBackupPrivilege	404	wbengine.exe
Token: SeRestorePrivilege	404	wbengine.exe
Token: SeSecurityPrivilege	404	wbengine.exe
Token: 33	1396	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1396	SearchIndexer.exe
Token: SeDebugPrivilege	436	alg.exe
Token: SeDebugPrivilege	436	alg.exe
Token: SeDebugPrivilege	436	alg.exe
Token: SeDebugPrivilege	2676	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 4076	1396	SearchIndexer.exe	112
PID 1396 wrote to memory of 4076	1396	SearchIndexer.exe	112
PID 1396 wrote to memory of 4840	1396	SearchIndexer.exe	113
PID 1396 wrote to memory of 4840	1396	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d889682ba37720b0a7f51743c0ed4740N.exe
"C:\Users\Admin\AppData\Local\Temp\d889682ba37720b0a7f51743c0ed4740N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:436

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2176

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3300

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3912

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4388

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4424

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1340

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3548

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:816

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:796

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4984

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:404

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8d6441871521d37e4c722ff2502f976d

SHA1
bc1f31dd84811cdfaa9a4e3111e04fe9c04bf73a

SHA256
263c8ed9e1e301cc2fd8c38469e0c383ef8f4ee3a18c4f2d1c47019ec110b1b6

SHA512
e8e95c8695f25aefe2ab562afeafe9208b42989f610099b13ef8e5b004b430683fc626d128c114d766a6ae3281531ce39afe5059a086d3a634fa4e905dae551b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
483755e65ebc2e5b38e99e460fffc07d

SHA1
056b231bb4a7dd7a9699853999b1a94bee051ab1

SHA256
c17ffe21f011d1e3669f8a003080047ca97d87f2b7998b79118155604c0d876a

SHA512
cc37c2179e8be8e47389f83c75e1000236d32a3dda9b5b8fea26d5dd120142f464903a2956ba5ed98a6c2fa539ec0304df11bac01c03d15321ff9e331156e3cd

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4e58e1dea963e05b404b48b4b179d123

SHA1
46bd4ddf34dbe4590aa57f050d9aeeb4fcce35a6

SHA256
f83fa674c572b01c04dd39a402cf6a79e34279a3686a05a316ce0034cba2aa81

SHA512
94666b9c85071a8835fef4c90f92a7250839e984c25e5def3691f19aa3d203fed37e3daf72027ad29ba9a0fe34c13ad4e0f6be77aef7128c1746e5bcdfd5069c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
da7a54c0338bdffce442963301ab5144

SHA1
c85ba49f65f7d7141aeedf3b55e1ffa8333b4cd6

SHA256
c32a9e2c3288d833b546292585f052835cd0f7adc819cd3b48b8aacf20716a1c

SHA512
10e77b72940aee26759c52cc95de5490f1c294638bfbdd5ffaf68a12d76145c7ee4a49cfb73a8175a6bbdb2be06e25746dcd079873f161c461ec9c517f8f3042

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
948d536162e4887f7000e8f2df2663d8

SHA1
22f27771dfd4461179846d12576dbc681e60e3b0

SHA256
9faa7aa90c7a830326ee699806907dd176a05445207cd153cc6deb8bef69d6a8

SHA512
2805c7130863d511d7a879548ffc989b77d56baa4e68d18c566b207a3500f93451b3436ae764c76e8b0d46d5764713f4c20e866713f2149628ac07a28c43fa98

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4b3c46525d69ddd947385f5ee0fd0355

SHA1
704cd337141b7b9f7e688b113c189bc74b907ee5

SHA256
8ddf84ddb25b9c7ce81055037567268151ce8d62dfb80f4fca63aa8a433744be

SHA512
9e5f0db9f0af51700a1b5052808028e3283906ee612deedb26ac4e681a7f6cb540f9e2e3ff018c91d9312aaacd6d9e2d48e9742f595d7dbbb1d74b6821ebfa19

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
fae261974c450edb4d296db7d95dd0c9

SHA1
7507d3c55f420785f5f45580592cee2024f9f5aa

SHA256
c3612a13f73393fda1005f60d51ee84f49d151224fdd1127acaeb97e44c95040

SHA512
9b598bc634de162274906f0f7e2d21efc13a36c115e76ffd3a4b2ca931bf43b17ae1a05f61947f2efc086fb308f55544cc8bd436964d53eb39b41b5f0d647e08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
910ef898a358e0f07827e272a49f1d92

SHA1
c667bba7223fa3f3b52b957a9052aa99875adcba

SHA256
b7768ba3ee380721b72b2ce0e0e6dc1cabfe74858bc070c13c071b68021b478f

SHA512
fd332e0be473a3d6f7c49c5771068d3cf9f9a5273252195b3edef121d069998586bd9af37cd7a6bfc2ad68359835058ce5546cc5a75f5c1ed47496d2b7fad7f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0820920906c391bfe2c2a7ec9842c80c

SHA1
227db93b6795c506dd7dcddd768ef6aaec90209a

SHA256
3d9cc4ba4c38220234374ffe3e6c325230f840bc23062d9912151a87a15d52d6

SHA512
115fa4df953133cb649c4302a92cf6e836caab1f919eea095e02ea0578f001dd0dafb604420e8dd13955dedf3eb17b4ea1b9a67bfae809b032a480e72ed7dc69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5372325ccf59c2bafb7605ffa8979cc3

SHA1
e146761e2b2f6c4e89d7f85de7fd7aebc1423585

SHA256
8785b11eefc582ccfa4709d46e4a3eb60d5aa6a13236ecb60c4ba0be716eaee4

SHA512
a12550e76cb5e9f3080e7a9c66400a28cb8626bd576666e3033c28730216836a486617cbca59f119816d9d01135b99b98db2a2eaa4ac1ccd1d2703206f6fe6b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
14bf13e8962959cd5a4beae6905d9ddc

SHA1
e4c48c196d5d9c5b74da2afc0eb5261b2f17221a

SHA256
cf6f09b6af3d76924b51b4fe0bf28e991aada81bfd7d5f259a3003314482ecac

SHA512
3b1da280431d9bdd1f82f7f7aa739a4a8a714caa8a27a8dddfd438492aebdbb70064ccddb2d087308ca0207eaa136d8f1c9c73b13936d56b68fd10f9917539f6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
91a43e1718e3459f28e99f554fd7b31c

SHA1
ffdb01be9bfa8f4ae63b27306e0f8be1d0dc54ba

SHA256
78abbedd7a1a8a27372f1270fb2b66a5e599cb7de7fb06e4069d8fa000db3694

SHA512
4a1379851995af65ebe7cba03ed592b77e25f76b1f5bc88d71b0a1044ce3a71864260855deffd0b9f405484d83e606f987adbd8f8e5f57a440acf8f2d8eb4520

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
d7639e44b4dd45368c0f25f8c36a2bc3

SHA1
a36e4473e4803d2918bef4a860c7386eb321f9ef

SHA256
ecc6915a3437090033c21cf67b11a449eb2dca9599968cd8e79332da364ec628

SHA512
13eb771edd4c897508ea99a6201573bfd1675eab98512032ee8438bc62c8d9f4e0f02ea0359c4d228156a623827dd0744d77de5dbb8b1ffabdc444b1d1eb6092

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cd0c94b11ac0630a139e2c35d6628653

SHA1
df362fd9b31c64d242ed152f5a75b4d7b2c67aae

SHA256
38cb6cde3b5520dd82ae5298ec0c47bc131272903788decd08099faedc16f8db

SHA512
9f2bb592ccb338481d49d3ddbe986e03b8ac1fd36185b810b388e2f5ae4b4fb1fb183012a0855a39a30684eebbee72dd0b8e822b632a433a595743c069f9e7ee

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
6536fe2f5eae658ed7732f8c428026b7

SHA1
94ba7bc98bb346207fa61bbf5c3cc8ac0ae8ec73

SHA256
f7bc32bda16ad12808400c7391d4b22c55be153c3f0e13d564fee9b4dadf77ff

SHA512
c466007543f0c26f81c4046aa12c9bacb59c29f56f4505d2f409ebe3fb008f66dc238b952b3671f21d8b866c3539760092d0775f9496067659d98bbdfd28bcb5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
a5eed2719444ba5e016210e2ce662662

SHA1
33cc9642052b75562b75c206721fccc7d774fa13

SHA256
6e8e65cb21d804b5bbfa09de5279c1112c1dc258a02ca548a83ce1849c206772

SHA512
4ef4d8d0dbf132e56946c26b36c6444e3612883fb5c1ef0388ed533fe2e68a9731e620a6ca364ece707c739f369fcb1a7eeec4c1f494f43b61ac51211f7abe16

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
dbcdcc7fd5a00285b20010866d79c305

SHA1
559caea5788df4bfd8c2ee1e88ebbb9d75659920

SHA256
29018e25af9fcd68c25b2d6bf0464cdbfbe981405a147f4b79e7b1b67e0e7b8d

SHA512
a29bb15f87da26145fe1fd078cf911a2c926ee637a7deae03c75a3e847934f8514d395d0928398b40f0bde07f405ca972912d469cc1ff52981e9d28173e7e7c3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
22c7d9e14fecb4a276c6ad66b32005a1

SHA1
2e029d824e0aa922b651f109ad37f1739dec7d20

SHA256
5f668265401c018c87321f20447287fcea166a72bdd50b4b6e112df4de394df9

SHA512
b5dbd1fb4c98906b1db1262407e8cf8661c1738804f33ad5dcecff798f7cb3b76cf447d9c8bd6a9a33cd384fa533af6b92ff864f2754040d534be1d8d38fc941

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9e8aec855e63c62c54360c68339e6612

SHA1
a8fc8e3de2b83fa2541234f5e413feef6c2bf430

SHA256
e548ef1e0292504be4a34b9036ce7489f093c1e6ed44a8ba780be30f983d05d8

SHA512
defc6f30a110b6ded1409657d78371f6cf3431d008b2f521642a71e95d4863db0b9dcc71a2c0019f042cfdafb265e6cbce01f8a5a1cf464b2dbc93ae2de2772e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
146f163987c1bca137143730ed517551

SHA1
fd99519f98d0c6dae2e687258be5e547d3f4d6b6

SHA256
58a0ef1ff174515f565c790c7f6d1e10d6e64778b9d06a779b9a69fca54ac74e

SHA512
d07744a85e9996c67dc59cafd4e83f8080a5ab39d1dad044cace02fb9a3cffcfbf211004f26416578bee01cfe6650d8801fb66ab8982969ee62194472118b86f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
bf094180874c9849802ea463161473fa

SHA1
e16f81bd7068828a12c140899f5c515374a13b43

SHA256
900130704f957a409b229a53dfdf1530372e61efd172315685e65b23724042ce

SHA512
bc05372c35674d57cee18d996607f67409a0751ac99ecd8d7faf668b6e63a1c579082cee8b8b52710b4dfe24e865c3c2d785818d7e3ebb7fa9dd7857ed9b8df9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9eb8f21b9803e016c5cc5ceaebc674cd

SHA1
2c1e2b45fa176f6e1d5b262034346d5e1e70ced0

SHA256
9f7ab4727f73c17499fbc26336dfbdcabd78a494536dd1498dac232f3b104285

SHA512
86647e05b0294dd6d46b0fa7e8471c1cf4b5a00ff79d355003c733395cdf82fa6a3bd329adf22a24055c7c4401e3a974ea176664f48b67680eca8db109f13ea9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ffbb17d70fe592557b0e3d05c8709cde

SHA1
8dc6466da5da0d5fd965456e8c534d6575075caa

SHA256
82ae7c5142c966f35bbfd18041edd295334a327db8687ca28c8b9c21f54020eb

SHA512
9b02e859ceac0daaf9bf79fbc480f5c2c4f71b56a132057e004e8f4c0feb95bb04dbd6a37ca23f916363585d0046f524fe0be6ea41ca183a073d8d12d933e56c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c784e7c801c21d983b72a49d2a559d99

SHA1
3b1b042626e0bcc95807d7b3e05164697ce5e257

SHA256
44308631426c6ad351499c2a6dc866fd1611c14ec4ba0623eaac74d98d3b449a

SHA512
f2defb4c190019c062058192be947ad5eb695bc9068655a724f00d75ea45378cd44fca20c14813d5688f54c0f6c564bca63319548725e69f4111979272d23a91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6f0d20392cda038befb9190e34c588bb

SHA1
2d9baab1bb04fafc503fdc3b89703769e420e572

SHA256
4c27f744d91cd21707f39e9dc6d69925870252093b04138c7e14e57fd4fb0663

SHA512
40f59b3d0f2c2c7452516346625b1a6b6062df51b7a4c5147edea691a3367a0d4a3aad9823e50b94f9c4fb5bbde4e060b421a3b94f3aa0239db1ea323b74c80c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
301f0ae8338e54154e53791e8a7c1cf8

SHA1
cc9c8090c4fdab0bd478255cd913fbc77d2aad43

SHA256
91fe7286d5afee4b3c5d4d1253becc4ecfb2eb6e89c31b54c60614bbcbd05e73

SHA512
6a614c6b1c2c9faea74e50c4b0ae6d6fc3fb62f09805f8f66cb155eb327276c834d21726347cc7b4bf2b9551770eaf49ed370a2749b769fec77778f498a8af94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5abb9fbe143728c5a9d48ebed3a4c23e

SHA1
fcc385154c3169b5e85d8ca0c52c43d3ebf105b7

SHA256
b369ae75b327f47f43c18168345898e5265ea42632f6fd7b4f19069fb5ab3e1f

SHA512
ab1e63743a1044d73f57a5ad7acc3831a1c1470700db5a0f88071bafab2dbf796a35c41bc4a76c62187796d7723407e456a6a8315d3b10006e9aa4bd1780cf87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
96e34c73086bba069110ef9f1c109bde

SHA1
eb4677746a57a9eebc1c8d8589ff62dbe1664edc

SHA256
88befc9643b13fcf0ad546ce2de047304e37f183a9566dc745c9d2fd9fb0bf1e

SHA512
f95b5d5d7dbd9f12a64805faa15ada7268bab5ca1e95f92a2a49de2658a9488be7fa8bfe2d77c2afe9d60f5f6f04350fdc2c58064a3aaf6eabee4edffec1ddd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
700fdd4d090d11270291eaf725d8f2d7

SHA1
bede3310aa6298901bda3d1716db84aa1574788e

SHA256
ba1db7c28b302bf73e9b40c1725f2ec25f21e3db4d33f46ffacc84e7b863bfac

SHA512
f9a092e20acd07d5df6d7df553e698a55bf024d44fc1e1ae38626fbefb3977bc73825a0df5a1dfdd579ec022ed4baba7cfde5d11ca96d07657de17fd952d226c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0b105736d41eddd528798235bf8842b0

SHA1
cc276bd6b1bf38f44cdfabd1493425ec4deb6574

SHA256
054d611a521d22c7d04f979bd5f9fb5b60da8f3d643b6a306e3c62497eb05983

SHA512
4747114b5a9d5b580aa688a9bbc4c1ba2517ad3f20742d92124b4b79f9e5d00e135b7ef23647682534fe38568f0ce0652c84524a3caf426638c39d14a9e55591

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
88dacc2e32176eceb2c57205efdebc3f

SHA1
37525b3a07d4e31b2b0f5e9394be5ca42428bc91

SHA256
a8e854ce4372ac6b396b677923092ddf3b016e5b9518b4bd9ad5f11aabb1b5ef

SHA512
d4d2ed31ecd0f1166508cc9bcdde42feadf5c5bc733fb347d3308cfd40b931a2fae94e74e0198cea0521e2ab605bc9379b0e18a6d7862c66ef198eb29a5991e0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
75027988053bd3b913299fef7eb4678e

SHA1
31fa93287f98c34319e9d9ab122eb9e365ca29f6

SHA256
c5c86967dc3b4300e02dc7204981b3b9f67c3a199aab1268bc578d260f054393

SHA512
17092831aa20e1cfe48773b004fc73cc83e2f9e5bc68bae1eaf922ea9ef67fda3fed372d21746b5624716ffd308eef32ac4151bb63ad77d69b73d20a284447a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
00e38d38d98d5decf415cce6173b5ede

SHA1
cae266754b68a203ac54655faf6f9b8c4fe1dbee

SHA256
ccf3c6861fb7c1a5e0da3f53598a373350faa74271c7aaeb18704b7d8c00cf4f

SHA512
b4ecf6208727e757d2893653546f647190299da2915c1a511baa4d8b435b74fcbfd971e0283ba0e25bc061e8313375be1b6d56ac01d68aec330b3b08c4a1af90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
3e9fb0f57dab78a4ccf64570e5fdd6d8

SHA1
c66ad6cbe3de25b5aaf68385635f833669fb9272

SHA256
ae9dec602c81b435b41603600757e07979fd6a3444222a5e2e21fb8a100b8178

SHA512
0e468a5c37f6b87ca8d21e75936aab7f90e068a2cc7b23bd02f7427edb1aad46041b3b7b9eeba1ac344acdcee60180552696dfab349e8000ad4fd3ce092035f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
d3a1a84424c1bc72b6d56b98f9c635ec

SHA1
a0ebe53a3f8c7db88a514cbe4e13c9b03580d3af

SHA256
e8b03b5c64ec03fb11f21a1b44110326e95069b66ff057cb931f58f23b2ca29b

SHA512
d3c2982e193703ea22e87604e2c413d9923248aef26077507e147a390dcb6c33f40d30f4c69bd7f643b24b1c43b6b051ff0d0f5c2e12166c9b7f21c5ecd69e91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f218d4e4773ec80ab5754a20d60c3f98

SHA1
61c2df445960537e422012ca62ded4cb03a5e9a5

SHA256
0adabeb06df4a914e6306a0b4d0c2ae7134aa7f675178c471db65a080da2dd1d

SHA512
08d08051980ddf959dbd19a7bb1e5ff651a2bb91058bd7d6eac90eaadacef0d9359c75928761d0fd4ccabcb43914ed58c74f8151cfb4b3d252e2aca11d8ed390

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
514c9c8668c03a449d9c0a1d74e99bec

SHA1
6b99cd515a0ad7e0e53c4da645b419e4c85c21e8

SHA256
9ae57c89a7e8392572c99957be3b639afcfd462457a9aeab3bce36382443e784

SHA512
fb9cd7e8fe3dbd778483da0bf9dae43af658914516d7eacc773834b95823e9e88dbf80511b51c928c8c477efe384989bdf74b9f7f904e6ad97fb1f6472c42777

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4090e1a1f44fca2119334ac86c0ecb10

SHA1
2eafdb54b77adbd47760d277c042472e29c857e5

SHA256
5c264cf7af5b73fe2ee45fbe36c917d8eaa8366a28e9dbc831745dd9d4c25034

SHA512
3e4563e27b55f0acaa26c5f4e40eba45343ae41d7dbce0a49ec500b29742443b5e957144d8f14b5081d3c5f99d89de45d276190c2d480f64f57bb06c179454ce

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2eaa0a6b17b7b33af03c96a96276f2a6

SHA1
2a6531eeb4e488cbd1dbb5c7791ed169fbff58d7

SHA256
3b1a7b6463b42b949b3592bae0f4e315b198fae22d12a88bffc0187df2a6ad5e

SHA512
63a74401acfea8cf39a36e1b87a3f531411ec725991e09a5b7a6661e0b0d28b3c505491f39a40eded9fdf1e40c4bba6b23deae9a30c34bc04fc6fc2eb15b1820

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
a0a5ef6533fa7e64033f1a10d332a7b7

SHA1
83ece8f71a9b6d4b88ba432b1eeb8211860dc616

SHA256
5fb0d7f2eb7c88cbf5de5595f314ff904630b93362af4cfa6c868de41c777be9

SHA512
76e124502278225ee3673c44372bcca26dd6e2cb7f3a8b5541b533566d5d437cb02203275918b20d9b1fca0e48ba96c06624125486f398c44e111dbb0d087bb8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
85e31f2d8367f65379122969dfc6641e

SHA1
4300f6d6d2457a1390abe6b8b45ce2f033b9275e

SHA256
ac619a5e5d79f20c267db4765f5e4dd799a73f3e8036feb581409aec61537643

SHA512
34ae5e69ff176fe905e74160122f010afe097d71c2ec35a13e6012d18cca84b7d52f69d73a0c4984635927397497281bd822b07dc08ad30f5e8400f0d475698c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7cd14f207bb29b91be7959c96d696693

SHA1
2a336c39655cd01d02b06b467400b92ab3196d03

SHA256
1c5890d72420397f557b04477ecceac7f08a7a9bd00dc44d1748c6370f8f137e

SHA512
c6caaf93aa8c04ef1c9bc798d1223e9107cc60c6cc9d18c8b33ae662192c1c7b3f8f818ff990c195c51b7d1aec2935d4b88d8b3eba83b5588a62cfb21f95221c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c9df0bf0795223da2cf413d56a809618

SHA1
bf49412e3c3c0125dede4e4d5610c5ab6eecb792

SHA256
2c0285c038a2fde13316b739ff63cc4af7550d55540d2e98c17b001add704875

SHA512
348c54d8a897f8c7f555ce355eb74e507226239480e24c0a9c6f143fc96bf7c27b4987445d71926458fa62faa62de16cf48aa54ceaa027cc0fcb6bb0d8b78ba7

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
16589fba49aed0ff429e767b4d65cd24

SHA1
a30a2abe700b61eff001741815092f6c15b7b7ad

SHA256
41783c1c297e980a06c539d666ba4e52a2be7f374aa8967caf19f5100da90398

SHA512
5b6874a3de222e51f1c264979034d31a7cfb976e467d962791b3a14dac87c7a53e54a27b673f0f01cc6cdb5557ca159b9b8556eb45787b3a39afdd32032961c1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
41e52cd2d6786606d2b3f40873d417da

SHA1
e6036824c432c279cd0f9bf2d56cef3f3f72f732

SHA256
54017b8605382f55a0e79f4cef6b963f789677de00a863af27f1a8a874281a35

SHA512
586ff7b0871b70bd3784588fb0bd1ecbb1416674daf62b4b128d9f87e1a085e6c6ce868e346045a623f0e9636db56c2f3adcede57b37b6dfc5ec626e52a7c022

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f5eeb2078ef6ee976a9de301378835f8

SHA1
233499eb6ba0dc04b32a5448fc8e453db0d452fa

SHA256
b4e55b3869165d537d16b59df442029f731bd3dbdf295d6d301baedd42cbe543

SHA512
cf6eff30abc1d7c707c190e68beb4839314a2b0aa1c513d32561d9280073948ed6e8e2c092bc5cf79c01fd87ac5a59ea97c3c3ec861298a538776663fcd97f47

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a90d66bbc85853e0267bcbace2755404

SHA1
77db96577edab39041b42d25fddff27ddb7329e2

SHA256
8dd53faa8cba63e8a054aa8a073d22b1207fd25547b5eafa447679c71023e897

SHA512
f98827d5932e246c0045ca469e7b0a7b62ea39b0e511c8fd2fda8d08a5a7ca6ef93e56269b87e978b3c686cf44d69c72f6d3e267ab1bf84ca293c5aad4fc8d0d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a0e3f4ebed323eefe30b28bf0ddd8c9e

SHA1
dc28367474ad3483e0eda1de7dad7f311fc5ea12

SHA256
9857b537f3a45bd59d73b14cba18a6fd23d033b36f9a16ccd1a436b21cb179e3

SHA512
a0a682dbd5cfb8e8284e9375486295865809fa5905f8fba880986c605fbbe161d226dfd45d1a2a58ff63527dbf75cbf4031a4dd300314784f9fff910f26d6bea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
296917a3590bfe6448b4765cb8ea0065

SHA1
89d2f0e3f8ebe992feed7bdfad713760a47a0de7

SHA256
61c913ce761a9a79bd9b817137e05b327455a6b6139dac53709634669f509ae8

SHA512
c6a9c52c640847c246953dd7e4953ef3c9262dc2194f8b73855fbf56e5fc33d0527e0de1b14287e8d35d4751437421271467ad35f5020627b3d578230eefd0c3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1acab518b6351b03bbe86af271c90cc6

SHA1
893dd4e7659d1d401aad153015c97b0c16c80288

SHA256
dd34753fe8c2dadc71d84a2d18794a88b864c3990a9ea205a48a45acb83bd994

SHA512
46311c33c68433b273c028f4301d6ee4f89292d82f87a8db057fe6811b124e78df17bec07848e2d24f71eb7f5b0c8f254ca1d8d41527aa68e70d2954bf332d72

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
737754eac288de8791c36b098357ab81

SHA1
3c94500fefbd643c0e3643da451291f979d6cd16

SHA256
0d8faa4e3375c69c551d9d464f4f7408f41573cb0f3ca98b4a22e09131f2becb

SHA512
47ba55c9d037fabf389a32756533ff907bc10a661d8d6302ff7ceb93497e8b36ada75eafb33b3e555f477b0b164bd33cad4cddda75e6840d76a8920e3fee70fb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
639a01fb6099365ec147d54915446c9b

SHA1
8d012c70a923b52d9616b0aa29eb757abf6ecacb

SHA256
ba546b95e65b1ce198be1e6d6cec13b5f1d58ac612cfb342a96d6dd9a0e82095

SHA512
76671bfade2ff12ca5564918dffdd0153a9ea1bcd6cbe235008dddff3570d6423acd2ff9bd859e41ad58afcb4f960169c2ec99c4a472a786bbe4a42f921421e8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
65528075298c757790e63b86c42f664e

SHA1
7508077a05310179b131b5e91fb15953a9168049

SHA256
519773b13bc8407fd37c3dd58c8f2766401c71ec25efbe1c0a33e7e04fb60061

SHA512
3f8372c4179e5469cc020ddb3a8645e16c01f8cc776dd220b61c962a9f3bc8acf6db08122170f901aa3ae28e212513dedbff6185e5668036bb20cdc7626d3341

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
40851ce8a1fed928b3560292e380b200

SHA1
85adf5e9394bd336f1fabf5928f2a83defb38a4c

SHA256
ff373b839af7a7f6cf3aa193afa18e8fa3c17de2e16449707ea00ef67c044797

SHA512
9ddfad27f592961418d59f0c90c8e8557975f8ccdd7c8998df1409682a297c34c38c575c1b24d414c4a748d03cd735f452e7d94685d9be325908d9fdb49aba6f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1fa5907842d2a5d07a696a645038023a

SHA1
d4bf1a4129fafa5804d47f96d882968a87217db1

SHA256
6fe040f324b08d467d3da534b2139c0176e600b7bc0de9cbb61b26ddc4185680

SHA512
8005aecdbeaefa176c38a4feccf811f4278f1e792f6c1765247b35b55cfe6044f5f3fcdd0b58a2bce5822cc085efab7d7e5388d0c1e3617a80bbc774a53f5a2c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b295c0dddd0b4764f6bcfe9b46f9998

SHA1
f08308a264622e0545191a303bfc00f79b116d65

SHA256
35b312fc8237c0546c9ac8c9f6666fc8fd1fd1a2eeca42d22d30b0c356d6c809

SHA512
b492921ae15cf2bd738c3c0913f4d252a4a2408c82e00eca608fe49ff70463851a056e0381dd35143a37c8d6f53b1b41b420103c5f41ad0c5236673f36021f66

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
dbab9ca80f76a19db34c5306ec0ac9ed

SHA1
75ce67020f704e4101203b7cc2a7c9ac11720ce4

SHA256
4232f29f49e072b90ec7e50a1b3699715732603fa147414c550e3c9599f7eef4

SHA512
c7951c4833420af9d4a102561ac405fca11bf2796578920654f8d92252ae9b61400676af77b65842e9b66227d8a5576158f6830a17e21c2550b10b87e63f9d98

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
da2b969412384755ed1ac75913c45549

SHA1
e03fad2b44e3f1567571b46dc0544b95d42d9aa7

SHA256
911364eada37a0b84c466c6582a48420e963646343ed4c3225538eb55674975a

SHA512
fb958080a7c0bf70708add9c1e650c3a04ea538fc04bedba5427a78bc9daf0a183e9f208ee49c7b7648501596ef82b62bf3a191eb4d2fad09f33aad765cefac0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3ff4c9b0724b8c338c6d3b16bafa27c5

SHA1
63291765d42c99cc2daf82b8f3654f8cf63449b4

SHA256
4695b522637634231ecfed613d02536f7396a95771dd17da0cbfdde72d24859c

SHA512
3383df6cfb00a2d05175322d9933728ed475fb555bc3c5fff03899c6bf027272ae747899acbcf04044958769f9d4b6fce942d457e1fbea2eeb86fa3c5e6525cd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
14db5b05c8d5c4e697c61e29c5d0b68d

SHA1
8a095c0612f3624b0c84f474697bb1d7b84b0b29

SHA256
c1e92582eda7bd8b4a82bfc8a7a8319ac03b589f234c13a9279c2d60c28c7d79

SHA512
39e932ec69fb67f91253370095baefbd1e8d9c00e1fb3aa15a6b850b4c04fb5d1899e2d7fa223befe695c48b32970c114446ebce6d51d0ac07a9fd625ce2355b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ddf1ba5b07b98a8cc2d22b732f87d7e3

SHA1
d211b00b8b9064ed4212671e848e9ddbd64ab40a

SHA256
1b72d4b9cf28b6bfba36283ed303a077b2050901a3fc07c5f9334a5fff66e3f2

SHA512
fdc6264e9308c2ac9cf6dbe38ff91142369a4455659f56bc53c53476b962bf0282b44e53f3f5de8695cd8e36b9091ee64f3787ebac41d32903809a964e6eef07

Download Submit
memory/232-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/232-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/404-533-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/404-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/436-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/436-137-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/436-27-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/436-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/796-527-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/796-202-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/816-201-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/816-526-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1340-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1340-522-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1396-535-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1396-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1920-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1920-529-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1932-265-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1932-534-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1952-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1952-65-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1952-54-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1952-60-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/1952-63-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/2676-42-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2676-43-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2676-38-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2676-141-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2676-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3300-73-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3300-212-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3300-67-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3300-74-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3548-200-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3912-78-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3912-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3912-85-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3912-216-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-142-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4388-100-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4388-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4388-530-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4388-89-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4388-97-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4388-95-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4388-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4424-104-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4424-115-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4600-213-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4600-528-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4800-138-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4820-6-0x0000000002400000-0x0000000002467000-memory.dmp

Filesize
412KB

Download
memory/4820-1-0x0000000002400000-0x0000000002467000-memory.dmp

Filesize
412KB

Download
memory/4820-450-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/4820-0-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/4820-114-0x0000000000400000-0x000000000058B000-memory.dmp

Filesize
1.5MB

Download
memory/5060-441-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5060-152-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5112-253-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5112-126-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download