4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 20:21

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
Size

2.3MB
MD5

de5036986db8aa9d50f65ec20b6cf250
SHA1

530ada7db24998f78f174fc07077786085d659bb
SHA256

4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7
SHA512

6229aa9a936c9240bec8195c326eb0aaab12a8e93b97aa402379bfb96cadab15d2dd009c5d59a835712ae7cf18c159e494dcc805cdbb03226c90aad6631df1d1
SSDEEP

49152:EQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0jzJE3jM2ce:Etdnfnwp3oOLuB/3/uVE3Xc

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
2184	alg.exe
3300	DiagnosticsHub.StandardCollector.Service.exe
1696	install.exe
444	fxssvc.exe
1460	elevation_service.exe
1292	elevation_service.exe
2164	maintenanceservice.exe
1544	msdtc.exe
3968	OSE.EXE
4052	PerceptionSimulationService.exe
1616	perfhost.exe
2576	locator.exe
4080	SensorDataService.exe
2792	snmptrap.exe
4324	spectrum.exe
4300	ssh-agent.exe
1360	TieringEngineService.exe
1304	AgentService.exe
1428	vds.exe
4108	vssvc.exe
4580	wbengine.exe
3988	WmiApSrv.exe
996	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
1696	install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\System32\vds.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\locator.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\367ed24326e8edb0.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\chrome_installer.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{80279D00-E918-45B7-8FD9-5E902C3B5EF2}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\java.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002052d273beedda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7a3a273beedda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004167c673beedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059141574beedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a69d1e74beedda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053b5d473beedda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5ec0d74beedda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
Token: SeAuditPrivilege	444	fxssvc.exe
Token: SeRestorePrivilege	1360	TieringEngineService.exe
Token: SeManageVolumePrivilege	1360	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1304	AgentService.exe
Token: SeBackupPrivilege	4108	vssvc.exe
Token: SeRestorePrivilege	4108	vssvc.exe
Token: SeAuditPrivilege	4108	vssvc.exe
Token: SeBackupPrivilege	4580	wbengine.exe
Token: SeRestorePrivilege	4580	wbengine.exe
Token: SeSecurityPrivilege	4580	wbengine.exe
Token: 33	996	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	996	SearchIndexer.exe
Token: SeDebugPrivilege	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
Token: SeDebugPrivilege	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
Token: SeDebugPrivilege	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
Token: SeDebugPrivilege	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
Token: SeDebugPrivilege	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
Token: SeDebugPrivilege	2184	alg.exe
Token: SeDebugPrivilege	2184	alg.exe
Token: SeDebugPrivilege	2184	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 1696	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe	86
PID 4952 wrote to memory of 1696	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe	86
PID 4952 wrote to memory of 1696	4952	4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe	86
PID 996 wrote to memory of 3428	996	SearchIndexer.exe	114
PID 996 wrote to memory of 3428	996	SearchIndexer.exe	114
PID 996 wrote to memory of 2288	996	SearchIndexer.exe	115
PID 996 wrote to memory of 2288	996	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe
"C:\Users\Admin\AppData\Local\Temp\4a3b848d3d1a23fef8b7775bd66fc2db84aca44b3f903693de01131b74ca33a7.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- \??\c:\da1acab32790cb7d043557\install.exe
  c:\da1acab32790cb7d043557\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1560

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1292

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1544

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4324

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2704

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4580

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3428
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
72510b50e171fb412e2dbdce6a53adf3

SHA1
c92cb655ad796a266880805d51fb518a9811a28b

SHA256
a92f0053f1cc216f84a4dd7bad0b837da1a13eb57dc5370d8c3c136228a1c155

SHA512
5af2d702cba88e4af4605537a80268ef7a8b41bd66de9be53e3d6ced78f21cd62174e9ac8e9d79c05a293e77d0a68f6bcc8fd2d3204d5b0c83f915d1bdcae4d9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
5a998b0e1aaccabe7f671c339c9fb5f4

SHA1
d43baaa65e2bc0182c13428578cb2c326d9d0c21

SHA256
2a50b5e2cf331079e81e4a745f6ae0d5968def0bc8fc172c34ea3e878b7cd3bb

SHA512
227f3bf788f78da9bb8bbbc548cd2022a3b101ec51519e0f38ebe41e663e333500d7dd04d284fe6119afa32bf244a0ef57bcbbe6fbef9506f01ddd8b9a61a8b0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c31e359f7c437a19f65a9d5f015f07c9

SHA1
5d798a8c2ad20cee71954c183fe9899c9c2ccc17

SHA256
5f61ce17d1213b2c019f84d9d02194d793271ffc49ff9d8e381e464440c9a0b1

SHA512
aa45d10fc30edfd8d37dfb043343f82df87e1ed85d330da430f08e45a3ed5aed1678e9780bb4eb341c5244c45137a62a1275e3af382e5d177e3622442bbaa262

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7d6179ed312da5b35a6a04637176319e

SHA1
040598f143e8988e6fbfdbe87ed3b69f4d2c33ec

SHA256
99ad5c0a1bca419f150bf0889c03164b37474f7e379ff152da0e02a5c564f9f9

SHA512
032d2ee6d2a08a8d69595f7b46e69e96d0d4c7bc7d3f190b2539fe36c1dca3f00fc595fae667645da2624fa2e8f015fe29a3e92469acad2d62efae2199c234b9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8a5449a05fbd916ec4c1eba06cb81d1f

SHA1
c5562ef09837d5244c3faaba906ede4fa559e9cc

SHA256
e615bf482ae918a41bfc8813cdd179ec2fa1d13b302b32c2fd7ef4cbe1bb2bde

SHA512
f38a3564fa93e505facae827c2e5a7a7dec9df5c8cddbe44b800d018dbf03198c7c223380c72d6f1ae03e7e03e730791fd1ab7eccb2bfd453ce84f6d089648d0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
dc5ce67edd9ffce975c7dc8deff83701

SHA1
0128edd167f8dcb3bde224e7c00ebe85f63d798b

SHA256
1bda9093ff4a9f484863c626740c17f945ff26209aa085fa3e654a6ed9cdd140

SHA512
6bcccd3d5e3cf92c91b59641e7dea12e1f1704b520be2219c85cf206f0e1ebfe26d0d909f9fa31aade45de85d5fdc22e07a378b8127c82ce6373238e34d78015

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
220310d2d49db13028f6db9c272d8225

SHA1
0737744a59011f5869e4eb099f80dd4c41e90429

SHA256
cb7f498f310b2cefcc607d05f8ab4c8c5d62fc554752c5266d03935aba9827e2

SHA512
6afbcfd4fd383e94915c4fa3783b49fed27344134db63fc208a09d425827cd819083c32412a732d4a2f06c154caa172a8819979fdd4129324e78847cadc15207

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7d434f93f38aec619c372e2b8add070e

SHA1
54b9b52557b11b8d244b7939282184a58ae4e042

SHA256
8aa286b6163e979842fbe74938b06d869b26ab8fd3de46fd0e5f2a97ddf4b91d

SHA512
ed1e04dbc0f4a8078baa96ca663bfb86d23f5a1294165977644c82d1a150077935af7d64a641b5d07d16a01e91da01248dfc8b932d95a2bfd38900cc6dbd464b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
dd83c147c49333c00ef9983c0ebe16c5

SHA1
d8ca99e58dadf9962325c97154fb1daf4ac95149

SHA256
f0e498c7125d5a95117f0827f47fac3e8d5b44445807a5857e9506be0de38872

SHA512
e3cb01cfc33e1957728b09c7f08873a036f53736a97fbd42f2e96cfb93a0317f29002b2898bd404ae69ecad7d46e2abe2c3d1fd46c6b1e02afbeaa2fb127119b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c92debb9d7fcfb6c6a9fbd59fef5a068

SHA1
8d9b67df006bc45a2773df0bf0912fc6d41b0815

SHA256
1ef5e12fb274c51aba6a69b4c57e89ed33042fe77fd6d80ccdf3f6fa55fb0c95

SHA512
65394854fe03227c18ae93ab6cdbb114f0eeaaececce5b67ee97d14a3ec028d39f7c7edd3206c3a4d49ae9052fab71f866ad6f10d5d6a932a84f9973d48260cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
925edf4087ec80e4d05f3949566e240c

SHA1
3a7df9380cff453c2135f465ef69a7fea04c4a77

SHA256
a8ba2789bea4b954a4168dd4543433ed21636299336545cd7514cc7eaa4832ea

SHA512
89d2cb3c644df3b3a43998a091ec619b0b1c942a40538d926ef5b8543d9c2f4486623b3df8f635fc750e5fce7019772aa485bc82368dc1f91948813d03004fc3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
86d46d580ee527462eef9a0f7b5c56ef

SHA1
d3cc1c7e1c274539ffc88caa31ee9e4221e997cb

SHA256
f77e4820ad2f2120a8834f395847db756744b7254b09e7323f699fe655fd5423

SHA512
85a9686e84e8ce58fccc96f672451dc1f4dc5d33b75aa8433b4b2ee43290f887590358b1a0488209b73d6d762f9e980651c209684f880e10131397319b0f7087

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
994da3ceeef3674cb55e59994add97e8

SHA1
42130746b70f6b19406c0a913c1d2bbdb713de3b

SHA256
e033fec2d28516d2243e18c46cb063bf64a0059969df1b5e0d81e4dfc66b1d46

SHA512
e30d36038a66283689e56c3bfd5fb36f9afe6ecf493207b69e3c170568647fc8b0b30f48d9dd07e94c692aeddab6f07fa16ae2963e9467ce968a75d31d270c05

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
efe13fd60b4ece64b5df881f3b3fbde7

SHA1
24c1a54a6e2164e0bbf58d175da2e711b7e9e76a

SHA256
e6a17f212cb34d4d558da1e10b9df38d85ee192bd023d9cf1eeed69394a703f0

SHA512
d5f2ef0f1dd2f5817aaa847a03861a89c73b8ab194c9faa15345e539a739e111435bc7895be82fd8585f966a5ead0293c6772fad82fc8d6f1f9e8e683e9245ac

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4d39df842f05fec002f1738a9013fbd5

SHA1
f24ffc8518bbc30a31318fbbdf195d058b30873d

SHA256
32eace628b73448e9786f1a6bae86f52d4ff55c66665306294667049a037ce1f

SHA512
e56d685736bc5ca55bfc682c15ce92694d099bee00995b5adb1aac8bcb328bafbfcb456570e1515498cc84e4ea8ee1c5849c950db90491bec8fc0fc9e5654e1c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
24f9f6a269a0db44efb25f3ad4b4c250

SHA1
34f67566f228ba40db6a989d307c45723ee51634

SHA256
58dbbbb9ffacd7fd910bd0009ebbf3124cf32e4c105d98ca4566625af788bd3c

SHA512
cc0a98b88f61cf3af594bab22183267932d4368f6e1ac2732c773ee3b2779c0bdbc2a1ee2fb80b68465611b77fbc0f3368dd68ac9b8b854a0366d4725f9deea8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
71f500a0980dd484735b6d4fc61cff90

SHA1
7ed20797e86e78688b72f8574fcc540164e9f4f2

SHA256
445518ca2baaf9514dea86ee677ff0b964c840839007915cd19990c84bbcc05a

SHA512
4d9b19e3142d621cac374a0f93076946ba99a160fa34d348e41632c804f4ef4b4cdf6a6df3615e219696b464cd1a30c00eee18fd08dfd813bfcee277cbfdbbb8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c17ee06abe37b2092dca5caee386b941

SHA1
91da764c1571a26c79a6fd797ab8c72414c302e5

SHA256
a1dfa8d145ead006616dec9ed7b66aae2ac86ebed02f4b232052c1c292053a2d

SHA512
96ec8540225b21847bde6761691305fb0edfa0a0972f33bfd3830c8fb5935707ce23242b6bf2eb615b3fe12f1216e4f6450ba0002b658ad5d6ce1ca1d4afb3f2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
4ab1dd9ad240ae50ec6bb79be99c85f7

SHA1
d71533c5cd53669048e9da650962c91784105e3e

SHA256
4bcda66fa418273d909fe0fa8dc3cba3dd17261a509a54deaae4ded5570a8791

SHA512
d098c41783fc421f958278713453370755002d3c01f8577e2f71d99744ea4c3cd1b45e274ea47a6db513ca632517d92dac211304983888726e4b2d0af38f258a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ba4cb0e616bf64b468649dd8b967be6b

SHA1
141d1d17884916e77879a4c6b31f62645261fa44

SHA256
557c908db91149687204813b4da934feb9a8ef629d0bb32c78aaeb6898b7ceca

SHA512
8681657262f5467872418013bda7629464dcd72350a98321c2bc33517931b7cda880a49654c55b309851530daa5fecde4bdcd375e124eba4280305702d1edb86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
34f4ff3846d1ddeeacf4684b36205fad

SHA1
13232a3cc6bb1ebfcc22177947036dc1db5ab36d

SHA256
8d099039e52f74e4e18ce416a9194c84493ba6ddcd397551411f8536ac07c648

SHA512
9f66d6b75da8eec5b8cecb7e838d5c5f4e433be0541ecb2ecd03c5301988c21458419e77516365641bd08530897db81efcd5dc06a730e9c61ba348604ffc356b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
d00f7390c1bb1aad4f8eb29ef75a7fdb

SHA1
59872ee6c7d815ef700e6a9fd108d7f0b960ce02

SHA256
f34ce6b386ff9513ad4ed38700606f4fa0e2c35c66fe8c000459eebcfbd10e75

SHA512
0db169dd1467d7e4b5fb4f2dc3fe4d355619e741864b9064d9dcaac02aaa543efa3072c3740ea5170bfdf4dccbda10721ac9efd17d44aea3b67f75604bde6ba4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
aa9cdbb511c964624a935fea6de623d8

SHA1
869fe2d6350004bf507fa4e7fdc67bc20d862d7f

SHA256
daf1054aa9964979103a7762a741c030268568f7dacfd29717261c4cab04f392

SHA512
1df91eb4e4da87d330a30ac157180da4f184f9faa99ec21d560b9cbe1968505c2c6b7c3091a7ecb97fd93fcccc5b8088afd4970f869162a53fcd1730f0d9230f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6b852cb02079db0ea4cd997d875c95d1

SHA1
9dbdfa893dde6e55a9fac051317544677ce166a5

SHA256
b9072470b6f2a3dabd0374ea281bccf01a1226126b1cf182ab6feda0d7ca53eb

SHA512
cfb5ae581351dcb5adc8f3cd01c85f4dcd1285a20e6d9b0f08d845fec77e155a2a52a4465d38035e698dca4fce9ec2381be9659be44ce8279d1461a1d63ab576

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
24fc3c179d108dac535c6d1882f9f8bd

SHA1
7174cc558c8d4c9cd8461c50ad4c4eabc6a5c4d6

SHA256
d5b7e44abfd19154c75d4d85971754847ec3a5812f798e72558083d3f47b949b

SHA512
f0fafad01701c51b1e8b119e0a2327befd4e8fc5f4767f48bf2768099359d55e624aaf74ca8642e7be00a254c4c7f6f4d4a2e290ff4c9ba1f1fa54e9d7b2af95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ad3b313edbf0cb886b4597c6dbc1f526

SHA1
85cfa03b14226fe9abf954db48ef5924a68ee5b8

SHA256
9a6818f23a346d73b1dd5c881f4708d2ff82e15a29deebd622c076d931b31fe5

SHA512
e4b40f9ad4d9ec0b4eb192def810d596038f4483f59fea2338363b16ec8bb545296559d000ccf1bfc8ee5ae330892890a6e13f89c8f328e1ee088092c1c0a82c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
7998706da07c42b2029eec6a726a6092

SHA1
f240f95bd69c2dd1747f8ec69b319cf05511a651

SHA256
c43e704cf4a52abebf223983ef20127f52c67e8f99d77b05057191c67610148c

SHA512
138c85d7f08caf6ae5d8769476ff90f6fe41611c4bfdaeaaec4e0e0fa6bb521973b9b10507fbd871df7045e61118dcc7d69ef41ccf52474a917e899ecab8ccd7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e9d8130ab7521dfa4c21ebd2d323f661

SHA1
74c0b87f745daa09debc4a25bfe5aa19ef3856a1

SHA256
f92702149f59618ec3ec2fd27f52c7e88ae107fa9ab4ab9001d5f664603ff4cd

SHA512
ac8bcf2037fea73041ed90aca4f250c2b42d350fb39fa4864802329465dcc08c9d27b6093ec927296262f40e914783e2e1d435ff8f725b727235fbc3f2bf45f6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
27b7083e788714d23fed6a089baa44b5

SHA1
197be85a078cb949f391b5a7f9e40827589abb28

SHA256
9d89f9e6d8d18e4ee9d34a991d374166a5a8343f6636e105df5e95cc92ef042c

SHA512
5d47414676ac5db9a400e6556da6ed0127e7bc35efc7e5c2633f5078cc7e55718bc304ea2a777e004b3be1e35360d1b5b52b862ebe0dc6767b127c441405e199

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7dd2c9fcb3bbd0fc1c112f68218377f4

SHA1
b5fbfef80eede1a91bb27cca28cadf141f8d1a32

SHA256
87d45a2bf1b782c758ee75dff49470145aee350d59ee30c506c5648b51c617aa

SHA512
849747d9766bb46b4ab85831fdb15189f44eeae542cd4594870997f6b0738334d51d21590a6947361a0957f2da6b029fc387c0931813cc02eabbeb557db48662

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
491b0716cc6d38da8240cb484f7dfc0d

SHA1
0ba23de75ea999fcb16a855dd79c393c1638078e

SHA256
98c8049a07de9bae315b2afd57e1ec4d914a10302a075eb38ab4ce90c6bfa482

SHA512
f0637371debd79251ee6608d948333b4b3dc6dccdfa67d6084ba00efdbc8076c79ed755400e57598152dad8125e8f6edccb9b6ec76a8fe86e9d45ed46af15780

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2bf7924546f025752063a3f14e604f75

SHA1
4304fb65bf30543a48864d2c025f8dae5d052356

SHA256
5521290d017dfa24defbcfbc85c548985c4ce1693f985af270c1a010b8ac115e

SHA512
96f6e9558eabd1a8af0dd4a9b32046edc8a376c1596c4dea43a9e3a3b28da624311ad66861da79ef19dca0796bdc7c9a35b4849f1a80b88fcf3714c95922ee0e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2af7ba23e93926e400c1464381c2e4da

SHA1
1c48c69170aca379df0e09e2f376160c447fca06

SHA256
c3fc9d897786205068c8f68a185fd37c29eb10b9d61071498adfa83457036205

SHA512
b8d14244c8462c0cc35c374b24c5562cdda2af7c4edb18290a11b9074bbc9613174077f756f328ba5c03c6e8d8a707bb3b4cbf29beef86bdeaacb41de923fe80

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
c663e7a629d8f4f4b44261e534863f25

SHA1
34408b5fa99ba419586d7305da5fb4a2729e914e

SHA256
0bc04bcec0ce8d9f567f29d8d00756d9f9c38038da5ab9ca22779b3ec53450cf

SHA512
e5037bb68e150c94a5bbf26a95153540a2f4157762780cb78332638f5131e1e6616a3022847003d24510b8b62594968d6744630d87982e404f2f094dde54b3c9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ef9f9ca76677acd1d8f13e804dea403b

SHA1
ce78fcab901125d9b57663718adf29cf0006604e

SHA256
a0a32db0d1f71e763a700a075308c43ad51babc09aa2d93bee405b24870ed7de

SHA512
83eff17494004989d4e180b846e178b05874ea5058fc013ee8e14d39346b17974d405b12763946bbef603af980268248af0c3dbd3e01097a070ea796973e2162

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2fd1a5a4848efd102aa0beac97bfd8cc

SHA1
06da2be564d1b87b716ccc01b0e8a89eeaf74230

SHA256
72b63f07d450660b587ffa37c86b60d82a12ab57d451b3cbd16f9ce6c4624880

SHA512
0c0851a36f3bed1e79ae7bc0138cc993cf5a7d3ea1272e3754489809b3561d9027672bd398d3b51935888a83f324986f7f0d6ce779e069d4444db753783800f2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a6752b8c624ff59bc9ddb1a042625ec0

SHA1
5fe37a6790ae683e410a9f7eabcfa947b66e3198

SHA256
42184acf6c397c5653d463e32e4331efb6a5875081feef09efee1af67dcf239b

SHA512
f52844754485b58720fa54d50397a72f11c50be2c7fb3830075ea439b5ebbda3f16b44817f2b5b056dbf4e94d0a1a2e39e658936837da360927878127f7cb555

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
05c0c438c933a54add77d48ce87570d9

SHA1
896946ec034ed6513aebc247c2dce051e51a7425

SHA256
f86c1425a005ecbadded31dd042f2bf8ce89e6b20a6066ea07f15ba5ffbce206

SHA512
c1eaee325e4bd6ccfee778e6264742cb65e5c3df20695b2080fdc55b152e35eaecf534b4613b2b39419fc4e4c165661634f6589ec53b92c6b91ada8f851049e0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
df9903edbbc935ceaa2e5bf69a0fe24b

SHA1
620c418ed836121d4144ff01d6f2b64b1a94ae82

SHA256
5963d9526907612f5e946a03dbf072efbfd545bbb9360b3e87dc50c597450c8d

SHA512
2579635ca6a2ef444aaa5da7947a9a227ca5ed08763f577f78c51a9308bfc67db01299675d3475904ba3ccd696ee77d7873742720e43b1613eddb2e176495acb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ee3b8b6bd9a22d0117d5624d4015b587

SHA1
b960adfb667d478756853656b3e56c2b0f6dcd40

SHA256
a3c1c26cd867d6617d233b7e5934d81c1113f6dfd358fcba9828a9ea0a93b6d2

SHA512
b9add391d2e75a9dc55e5bc8c941900f78f5473c7e7fcc4951170f0bfe5c39ddf5d52c89f194cb3c6367df4fb37145104dbe3cf784ccea21857b070cfc8599f2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
af4b21619a50be4278195cdf9250cf5b

SHA1
36176784924d5a4c2ad16367cb431c1066569188

SHA256
4c261d0e10e506d4bb15c8c01b6442ccb752db7219975486cb32204e1e243b40

SHA512
58643a130aed742475369bf8c54afaf248e37e2a47dcb24648fe61a057569942609bd2cb20ac990065585956316b94af61867a80a8b202547cc5cb9781e1222d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
391cc908c5dafb0564135dc7081690ba

SHA1
510da8b3c6191e55808e55df01cc25c3448e35a3

SHA256
d5e1e0b3149c0bd7fe1a3b7726d3efba479bb5196973d7d848f6cbea0425f69f

SHA512
60e1387e201b76379f0e47f9ea91105771323dbcfb40d3584f745a6b0c02554b34e1ff5ad012389891799c909a39a8072e060ff3ec629af8a1e8dd81f2cb1a41

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
05b37d55b3589afe31705c9eeb7e0230

SHA1
4e02521de16ccd0588116f2150e746040d4b477d

SHA256
274a437d1f084a4012e2d66a9ac61636eb6449424a6504f0d49a793548836ad2

SHA512
f6250a3c6f1b753707a84b67dc2df29f73efe7da6cc7304efbff420443c008b1c857f705e255cf730a55f2dad3b36de0e55cd5fd7f1be113df91348a9ea70ab7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
04f4c9d89ba964440304888fe25e7638

SHA1
e70e51ffb64041244673e7eb87b55f10f8be447b

SHA256
06222f7798a4e9554d9bbb5edcc9c1f0d767b4099bc94f5e595630742a89e1dd

SHA512
bb4af7786981891f67ed99bcf49739b5be89682cd8cb062043aef726decbad408bc045757cd6a0ddaf35cb10b2e4e98b68348e046f3bc5adafb99d9e4ccb5cea

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
803a4effc77a7de3ecb3880b23c6d155

SHA1
9c50416293011acd03eb6f20b71732cfb137b526

SHA256
a771c466617ba7c3ce78e5b3ee03c651bd9ab2335fc5a8da5fa4996702522cfd

SHA512
919b7f56951acf8098f6adf9912257689171a54e886c5aca8b8cc6e92a7e2953598922243493bbb1df427511f2040947ce3c6528db882727522df293761ffd7c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e11dfb31e8c6e6cd4c76f5d8e924d866

SHA1
5d60d6414b1cfd51bfe086c9bbcd5fc42d55a406

SHA256
ee12ad558e6dfd5409deeeafc60f895624adeb368bcdf5ede89bf796f4339f69

SHA512
7afc99f5edbb5c29e8bf77bd8f7a602cd42b4afd409a8d1e90b304d12a87f36be79f130bd9995a6ec3fd4d3dfd32ff97e7b65190a906b85edcebea22439fe612

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3d4a883c1df7abad4666d1d1f32a08d5

SHA1
03bbf8fd902e5d8db5e384d11d088a3c3ff1e8dd

SHA256
9da865c7681b2c0b93326b95154d023abe08363032d646c8f4c1c1cdf8454f7d

SHA512
bd11f13cb3d0c5a54b4b6abed9bd67b20e97c8675b2986fe95b02149bdfc098fadba9d5590c51bd5350dd72b85abd7a3e6810c76e28fd37f7a019433c8c7b573

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
02b417d5a24a5aa9f85a88ae12f7a7bc

SHA1
391f5a66a19135c2930cb8ec4b407c97f2e2230c

SHA256
d80ef9b8e913b52f783c9c5ff102d80fa2d3e03c63cc772ac9301a2490cbfa4f

SHA512
9517f48f6418f529470f1182397cbc98c2cabc47465e2324533d544a1944cae4ffebae37b45d2fbf6e449127302e487fab6e14f910fed2406e1404c1640199eb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
636a451d231927c33ad5f16dc821e141

SHA1
a6f29b0e252efc8b018c52679a6c8e6a52cb5edd

SHA256
75ae441c79e7992f3d4c9a718234b817fae283f04522ea3e4ddc1bb36f701bc1

SHA512
6b05fbce7504b70daaf810c430f4829577719ff26f8e2295f5cef1ab57973e5e42a3a0271669cc427fd2f5066d8d7754c12289622299a4423b9a04100d8f08cf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a3411315a0a8367b8674749047875384

SHA1
1e7564ae591f59b392ed4c236df66aad54a83956

SHA256
f398a72fb8364c6c766f866727c00570a3297e8ff4859c92700327066d7c57cd

SHA512
8074f9c6660f619b49fe29194fdf8a7c4f746143ef9f0aa0e9635fc19d8dbcb68ed431433eab1c1d73ed41ee2488d5b9f0ea2e4b518dc844c354c2456358ab4c

Download Submit
C:\da1acab32790cb7d043557\eula.1031.txt

Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\da1acab32790cb7d043557\install.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
C:\da1acab32790cb7d043557\install.res.1033.dll

Filesize
89KB

MD5
9edeb8b1c5c0a4cd3a3016b85108127d

SHA1
9ec25485a7ff52d1211a28cca095950901669b34

SHA256
9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9

SHA512
aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db

Download Submit
\??\c:\da1acab32790cb7d043557\eula.1033.txt

Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\da1acab32790cb7d043557\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\da1acab32790cb7d043557\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\da1acab32790cb7d043557\vc_red.msi

Filesize
227KB

MD5
e0951d3cb1038eb2d2b2b2f336e1ab32

SHA1
500f832b1fcd869e390457ff3dc005ba5b8cca96

SHA256
507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88

SHA512
34b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8

Download Submit
\??\c:\da1acab32790cb7d043557\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/444-92-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/444-95-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/444-73-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/444-75-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/444-80-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/996-302-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/996-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1292-104-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1292-218-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1292-98-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1292-511-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1304-244-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1304-241-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1360-548-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1360-228-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1428-247-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1428-549-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1460-510-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1460-94-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1460-84-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1460-90-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1544-122-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1544-230-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1616-222-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1696-293-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/1696-70-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2164-114-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2164-120-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2164-108-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2164-117-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2184-240-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2184-21-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2184-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2184-12-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2576-223-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2792-225-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3300-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3300-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3300-266-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3300-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3300-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3968-220-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3988-554-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3988-290-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4052-221-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4080-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4080-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4108-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4108-552-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4300-227-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4324-226-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4324-547-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4580-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4580-553-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4952-0-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/4952-229-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/4952-8-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/4952-6-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/4952-1-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download