8265a1fffc96c257311f7c441bdddfb9b7f6f22c99bcac25a040a4c88ec7099a

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e09a6b7a035dda5f58bab45cbd052f0N.exe
Size

1.3MB
MD5

7e09a6b7a035dda5f58bab45cbd052f0
SHA1

f948ea33969d990465a2904699636519c6bf8ac5
SHA256

8265a1fffc96c257311f7c441bdddfb9b7f6f22c99bcac25a040a4c88ec7099a
SHA512

e8d237164d931ac3aa92a0a55abfbab9334a6882de3d40a508ca06926a65d3223ff0c0c9804b57a0db83e5d1593026f450f5c3177a371b38b17239b3baf4475c
SSDEEP

12288:SjHU7UMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8j:Sj07atr0zAiX90z/F0jsFB3SQku

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2020	alg.exe
4876	DiagnosticsHub.StandardCollector.Service.exe
844	fxssvc.exe
2732	elevation_service.exe
2948	elevation_service.exe
4032	maintenanceservice.exe
1560	msdtc.exe
2408	OSE.EXE
3236	PerceptionSimulationService.exe
512	perfhost.exe
3392	locator.exe
2488	SensorDataService.exe
5080	snmptrap.exe
4284	spectrum.exe
3724	ssh-agent.exe
3568	TieringEngineService.exe
744	AgentService.exe
2356	vds.exe
2820	vssvc.exe
2576	wbengine.exe
4016	WmiApSrv.exe
4576	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\System32\vds.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\locator.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\afaa5e4fd1b02b8.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7e09a6b7a035dda5f58bab45cbd052f0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7e09a6b7a035dda5f58bab45cbd052f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000808fac4912eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008dc39c4812eeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001edbf84912eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041ba1b4b12eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
Token: SeAuditPrivilege	844	fxssvc.exe
Token: SeRestorePrivilege	3568	TieringEngineService.exe
Token: SeManageVolumePrivilege	3568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	744	AgentService.exe
Token: SeBackupPrivilege	2820	vssvc.exe
Token: SeRestorePrivilege	2820	vssvc.exe
Token: SeAuditPrivilege	2820	vssvc.exe
Token: SeBackupPrivilege	2576	wbengine.exe
Token: SeRestorePrivilege	2576	wbengine.exe
Token: SeSecurityPrivilege	2576	wbengine.exe
Token: 33	4576	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4576	SearchIndexer.exe
Token: SeDebugPrivilege	3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
Token: SeDebugPrivilege	3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
Token: SeDebugPrivilege	3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
Token: SeDebugPrivilege	3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
Token: SeDebugPrivilege	3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
Token: SeDebugPrivilege	2020	alg.exe
Token: SeDebugPrivilege	2020	alg.exe
Token: SeDebugPrivilege	2020	alg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe
3012	7e09a6b7a035dda5f58bab45cbd052f0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4576 wrote to memory of 3772	4576	SearchIndexer.exe	113
PID 4576 wrote to memory of 3772	4576	SearchIndexer.exe	113
PID 4576 wrote to memory of 1776	4576	SearchIndexer.exe	114
PID 4576 wrote to memory of 1776	4576	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7e09a6b7a035dda5f58bab45cbd052f0N.exe
"C:\Users\Admin\AppData\Local\Temp\7e09a6b7a035dda5f58bab45cbd052f0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2516

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2948

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4032

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1560

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:512

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3392

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2488

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4284

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1688

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2576

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4576
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3772
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
693abbd416330a109bf805629925b559

SHA1
5c498890388b3b58ae71f2d8eb0df4c8cba3f66d

SHA256
0763b6de0cad669885e4ab367de80004f1cfe237a864111c0f88f9ee4e5276bd

SHA512
2495581819a928413436777d4494b3b1d60f12fb7a8006ebad33c7460f2fec4b63801f3d40372df941e719d188c854c7b935864d2bd2b49d3c793558531962c1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
69c742d316e1673035d0581e8bd38af5

SHA1
77daf9c8150f1c16008abfd4ccbc8f1cdb91e557

SHA256
73315a5347f548bfb9b23b464ccc13221013932ded97d71dfa717721dde4758e

SHA512
dd038d2d9c648bcb3efca570828ddd9da5e0cc368084e9c57fa2c549abfa9f0771606bd7e0026c1f13e2967576354dd6c61b644ae485be5a1795188c0c51b7f3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
1b7c90abbcdfa147070ffc972537261d

SHA1
18c2a4426478033b81a9f7a160efba0bbd07a756

SHA256
d72077140ddf34d6be862783d53e81868ebca11e2225c9eacbabd94ddad5bbd7

SHA512
d220c209ae58d066dfdd3c8c1bbfe2aab9c9bd901dd3b96d817a74698f5163df6b5be8d1dce87b7934592f5dc181af757bd913c5927da253f2b3ed7deebb0a13

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5e730faaad8a4243cf2193aaf2d05035

SHA1
ba885b52170cc4c218622da1357798b77f1b5fa3

SHA256
df532f907a0cf8c946d33391c345617e70140f2d14b6d21e31ece5fc2790d6ad

SHA512
ffcb40f7f3e8f0b39b4c6d5c701f4ab5e7ea1f0879d1e391942074824078440b1a556d81c594559039b93e61185fa9d277eac1a2d6d920a0724a7afca1b8aad5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0c1e17c2b172e8d971402afe053a858b

SHA1
9576207afe84b4162a4fc2a2827398bf7364e75d

SHA256
9812e0fc09880f68e364fc9166daa931839b1ab47ab243603f6ffd374847940b

SHA512
47e7bf7e68278ed5322e38616aa192629611694a77ba5bd5880b0b0c0afddaa72a9dd46863c90980d51b98daf611b01b219e2dde2cae5449ccad53c1c60fee9f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e7b3a9a605d04f7b0d6918d2e530eb78

SHA1
8b20c771aea560cd6dfe9eea029a1578bab6822c

SHA256
b9c4fe80bd433ccd56611817497035af71244eb21c565526429103b196852e26

SHA512
bf88ad2ee4a86ac731df11b6c06703b2187c130cf69e92550555aadcd4169c0eae03e54cd072f6690c1b10ed1429139ffec87b99550f58aaaf01f72297238d4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
db09bf4fc4faee839c205b3158634aef

SHA1
9c6d6beaa0256fa77e043148345a5332183db724

SHA256
bd84103eaa25c584df9f68832adb621999bae435a354731c43129a30cedaf7c0

SHA512
0874e4415670556ae93915ffc0c2ad20e24563f3dffb80b14e9dd1d34ad4b6c40221a53b4d0b0b9877b7da443b45262691a7428ba7c2d50856a104b531e074a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
859d6a97fc249d0cd5390ef4d34e19ca

SHA1
66b8a2760e4d2444972655d94afe74dad15d6e00

SHA256
d0d8831da62ee1dd253b86121446f57c79088938789c120b30ba29cc39c33c69

SHA512
43e1fe455417b30ce253d88495a1654eff0aed5c02d45cf98357e7db393afd01c0a58113592b9274c94764e4257dee79ca74d6d8dec61e69d929a486b2605ff1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6ca2415d5deaac8facdf3cd130d0e16f

SHA1
e07a9e1a8b3f04c961d1a928849ca2fdd5118917

SHA256
7c801dc441158fe03f2d80a1f200f08f367386fd7d0b4db978bebdf3d0f18405

SHA512
e977bec9e800994c2714c28d6fbe4351fde55717f4c9a09c056f75fe0ee0102432a3fce486d03312a517ef0aaed41a9095ba584d8c3a731b02a6e8c043cbb5d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
49090cad58fd496d997e3968ec466ef3

SHA1
19270828290611326f4be63ccb2e16c3fae49c1f

SHA256
5e456f298ae729d1c9f09baea5b6d5a2b6ef891405deccac06d98bd65f8f9465

SHA512
c21c7cec9d7a153135cb7a21abcf309debdca703adda0da6fcf189f458575a56cdcb6206b145731fb93fb1ddab34296380a79b237bdc96142f1f1f1efceb06cb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b6e2e9eb3558aae469be480070d2cdc9

SHA1
420fcb5ac8ee03c08102bf9421d0abcd270f78e3

SHA256
bcdd5e110fcf4e126257a952ab5d5ea965867a06afa60caf5aecae054cdb8594

SHA512
0b9da972376a643e77f97ccb90348491aa935f2ceb71565ed55db385cc369614809b9b6f1978c57d22b77a865bc0b403c825b729d04748aa18dd239df64c8605

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9061130a66810e9b11b8cde75781de2c

SHA1
f26d25d309f898c513d40546700c1edd831e57ab

SHA256
4470015bca27136946f2248470fa08110483674685fd9f957fd962208fa03a66

SHA512
aec7e015e10fad10219b4ac1deb4410f18b65fcbe34734ff01005783ca57c1ec6c1bf2bbf6a29988c067c546da0d3de9d31e1c1d7828e60679a2e6e5ab3374f6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dda3eb50c3106536469da56f925b080f

SHA1
f0b8f218841ad8e34e7d6b3316e3391c5f721ab7

SHA256
81a91b89f9d9537f822fa19f6034491681b16d81b30a059df3dccc2150be7adc

SHA512
0d1b50eed27766f14c27262e9c2ce7356171d6bc9835427cd4fbe8a6aafdaad291fe06207577adc4ecfd8b6830b6a9790283d641c4dbebbba997ecb7bf5f6541

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
731ac861f06f04c3e26608f0599eb89b

SHA1
9012be6508eaddc83d9d1cb4d05d6958087d7f28

SHA256
0c9791aa6c4dc2fc0b80fdb0939d36b5dcd1c6598d3debef0d94514e242e859c

SHA512
fafaf4c39e707d06640eabee549b0da9af41c265eabc938c63900f262db20b5d6adb639d277101541f78d30e3534a0901adc7ba4827acc51b0981ab2caff62d5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e9c9df2669fa1b9785d2f829aeb308fe

SHA1
7429165506f424bc480aad209f21d5208ef7da13

SHA256
c53e84115d9ca94610d3019e6305e1b357f9d4eb77ab6dbc131a6025f51ef8c1

SHA512
4ac8816384719b6c3e46867a08957af1ce19d1fecfcd6de34dc68a9cd90b6b8b5cdb5a060672faac53c4ff0b53aedbc4ef52612b6c37a241f6fa77ec0b4cba13

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
5cf64220eb6ad67c517ed4622d40f50c

SHA1
2a275a83589a25b937800af4079ed8f1b1b3f595

SHA256
47ae1a6ae9502e8a5e25e44afdb4d6e7c270060e0eb5d9f6d4729d42ce32afc3

SHA512
70f40aa9806ac83587680a84e3f4fe157688a8829d3bf77d626f27ab60b7f95f270932ae64571a99bdcfec7424d4fd0fa4155ebe816016d44132947aabdcc862

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ed292cdf3774158a25ed8024fc3d1cd5

SHA1
d84f19f215241875eee514abfb26220c4ac1cd66

SHA256
89ff28ecff75af0ceaabafc94ec94db8374fd1cbf4bf7840addbea785a9caac6

SHA512
8d29a14bdab73106da99f43438c5eeb915ffa1ce60b22699bccd6d8ed81f892dd67d867467514fe4c96dc21121cf4470f6d939161cfd47c2de1a0f95c91bed24

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
4139004ead349638c000f12f0b157946

SHA1
d4f7838b64426b49ff96bbe1bfe4b412c84e6f29

SHA256
bbbe3b8ea7ac31ff27715d0e0cadd89e3d2374882d780aa0ccb57248db22b6bc

SHA512
4ec5a33f7addcb042e1ff06e709a09c574f62bfeb675ddccb2cf5aa504059dd9a7fe1b2fb153f61b397e2b620a87a5edc166110e69c94b5b0e33c2dfd2cb9b61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9468c266ae038b71fc201fa8030dc376

SHA1
fabd3710b1a9ae28b904d731d5f906cfe00e6d70

SHA256
2f24231a82c789be74baf9d8158d3b0b5febe65b224fbdae40157e5e3ccaf000

SHA512
f063d777100bd0e125ce18c27b7ba514230c571d2b6f620655b52a5df771f0a17c73a9fbd255646fda9879fba55d5053ab7705c303f16bf7e8ece7b196fb7a8e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
64dbfdb63d7ed2dba456f521bea6a1a3

SHA1
069208ae90fd461c8b7d7334d05b0f884737a5a8

SHA256
c31191a0c871888faa5d3876ed8360e41e7d690701373caa1e679a94e60d0f19

SHA512
42b80f68216671720f91f765ff7e2f780ca0d0a9aaec759be01406f6e557f8a9bf824df8cdc114a407c21f59dda287aea9d6e20994cc019f23b9791323c0b79e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
16c496376bde81400cba4c7cdac2e096

SHA1
23abf6dbb952873f940cd6d89c3ef4ce9eb168d5

SHA256
489974435e8140d919affa7ad4c68a5baa71a56f410e08bfe4c45143829c5509

SHA512
b4b914cd7980cb40aa882d3b9a0a804244a327b37a02764b9e67385b280d07cbe747c2a747bf0de848fe40fd2a33d40490c3d8fa319c60c722c1cdbc38782694

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
d9c2320a78a99b8fdf0b0cbe56d71c3f

SHA1
d243e4e4ba11f73a5970573f77220b60f55c0841

SHA256
fc5cd32e7ed49c3369aa41f997e564c9a41a8c47630738325bb74adc5cb21732

SHA512
926db8228c661ddf0a3c5c35eaf19a31850eeb9a8676cccdafced4c4293250b8ced1e52d4f11076ec42a76435ba11c46b39769482e7c58a006790fcab535cd9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
9bdf0bcdb1d063d6c17a04decc47e3a2

SHA1
2d8d564b7577a39eecd5c2625acc7c61aec70bf7

SHA256
d57bcb6a0ef52b6b6cae716ae1bf991f0597374bcfcccff8c532264f56eca108

SHA512
17b84bfb71cb5c07c2ee17e043bb19777f26a8808f8c3e84e537580c74ad72134e55baad278e2a34d2d7488854a3c95cd949aa2652013094d8f9a96be541a7f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
bb1117994afa85c22aa8fd373785dccf

SHA1
835a99f507d6d2636522723c1745080c1df7540c

SHA256
7a061519b764b75888970f9bdb76e51274778dd716dfb8398772c00008ec4a96

SHA512
720d18403e518616da12ed4499c16a737cadb36243f5a6dd8f6cf53d76ad71690a9bdfa8d7e45b4efcc1b91362e267ddf881bf254bcc155b9890ae372402e60c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
25e50ae9f8215a2a24a9da6d6258b555

SHA1
9281819f0331bdf0052fb8070818a39fdc15dfe2

SHA256
babd8d8aacbb6d824c586b316e5170da508a8bc1421060aba9f7c994b353b2e9

SHA512
3c0ecd45e5d0481f91fa1ad8098cf6d4707914b12351a065ebe9c4ec7a41d8a1e966ac928a087c8a9eda25a3e4d133887b19daefd748cbd0075443a955a00686

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e1956af0d9217b5a2b47c2c77b84b63f

SHA1
861262b40ccce1aad71f9bf5b05f2eddd4149a5e

SHA256
68114c3a9b8f48b2c7e90653f644e167575121057d9458fd6e1c66c12472069c

SHA512
9fc14cbb57903d5007275d17315d2a442d7625c7bb247a52e63dbc0f099d187d91f986acde5afa345050c284d447cec8bb8d6b6b11d5875ba58b5a1b1c1fe958

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b05ce491f58da1b23b4b3bf67014c60d

SHA1
7e2af532290ae8fe0e8cb13b47b11852aa6f4f82

SHA256
1ce1a5b22b7007cfcf9e3d5fce9fcb5db623b75170f7c32b04eee0ad2f0a3b24

SHA512
7133ea47480eb7267be4811b5f39dfca67a695f54743b46ee45ffb42f83c5430648631429a060d18d8871dce415075b9bab198493567f4956fe53363f055911b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
ba2a55eba7879de740e0330e8a059340

SHA1
480eae99099472274d8c1899d7e175b0b7dce964

SHA256
2c8298fc44b6ff1b6d650e5ad72bb5ed687dde109f08af28d64365854a145cfb

SHA512
ed46124e680848e23ed1287c0d027db68c3a21f70e68db3059c73fd6263bb6944980cafa14bcded26db5e635d21377dc29c38737224225710304b1bf768077bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f72647673f568c1104eb10662807b210

SHA1
ed7c7eaede5e561344dd5e0b5b37f7e8d4a505f6

SHA256
f54f773e32e9b0aac598815a667a8317877f6184c61052d8084ed6f553221e01

SHA512
6b55074a7e3a38a5e3b44bc675cc632d8e2671ee945567b7763cd967cdaa595da024fb1db504982bc7045f46d3c71ca0a25e57b17477453887ad8b0ab24ed8ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
fa9764211dfdd3c646f9df526caef4dd

SHA1
7ec99f11e5a6953bdb4c518013fa038ed69777a4

SHA256
750b20a137163daf17ee01af7ec0d54b9056e926b03147d411f5a9e36b622102

SHA512
8c363301e3fdba79c2b05b9e899bd4c9e674af1d13b85843c6922e5537a337d38416032f042af1fcbb2037eaff148fed9a51c6f3d48bf78245d9d69987b826dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
298dae4ec99e77c0929a8e81bd8ef894

SHA1
417affd780c3238f7e0c87317309f7367dfb62b0

SHA256
24c4ca976106bef4aad9b5b42667e258a405cdce145195d953ef248dc873b8e3

SHA512
229e7d64a188852309f7c8a53e41e5bde7c2764a4ac7d93de2ff6ed5460b5af8fe7a63c36cb4a859f58a031968766531e51130cd9736c68de9826e1c03716b29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9ed330413be8689c4e073a8401b4090d

SHA1
2ff47b50baa1154e64e120d3b231ce809b8f8eb5

SHA256
670cc27289f33b63ed687299c5467981c2d64885d9f41e7e1e95ff82727c19d3

SHA512
760c6d7ca2568b49fe02ca04a9c094fab9ac948d546cbe5b5917afb2a4518eb07a1e340d674851f29ff41762af659cda7edec86e1cf7b11b11aeace883584bcc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3bc8f6841a13a7f3e904f14334037de1

SHA1
1feb862edab26db15ddf007e943744c402cd7533

SHA256
cad358d2fd22033d1b7e9fd30505d97b06f647be23f03809c1ebe8803ae88c6d

SHA512
6be4e87e9f4a8a262790b51a4817e92cf29de1bf9cbfaa10c4807e54ba8068980a344c3ced6f3e70660850cc601feaf2126cff1ba46d486be5165c30500a805e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
8faa54b00df7a611803ae9d0957ad1dd

SHA1
7ce9847e800c40bf842f015ddbd2dfbe087719f8

SHA256
8d06db8c1ac5f97cc2e18148d6ac86156095379c71380dc8b42821eb0e1c0573

SHA512
92305bf668471be0a373f068521fb4cc50959347dd4d7878d1c5396027c98db832f74d44e80b6bbf6fa219cd0e622d677a1c296e1162e2cf6fc6f276ee422759

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
614731c12a6403cfe8cf37c83e873658

SHA1
5bea547c9973394d1cbc859ba3dbcab54f911c42

SHA256
ed46f7385d2856ead160b246dc38f1a637246182e9c8d70f8d30b1bdef9825f6

SHA512
bb32d2e002852b1ee15f355a16c03a3d161cd92ed7c1dd51039fc91cc63e255244d45141588a63ba9d7b0e7962c9b2078efac4ea289e008353887e7cf6698421

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
a9cf482430a5011bc7537f5feac95ab5

SHA1
5a77785b41e4917573f65358d1551da5a68a4948

SHA256
1fbb703c89fd0a18f0ed26ba68839b346dd5185dfb131b6d1d77d93bf44e593f

SHA512
ef85b09b4949025b21ef9773cb5589e7f0b6fe731950ee49e7eeb3351f612dbb704708bc08f458cd4f53ac2ff7921f6514611a52d009fe04bceedbde7731306a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
76b3dd770795209e1d2e8d50d3018f65

SHA1
594808fb06989797cf2ee9c2fca395dd21786123

SHA256
41b932b62266a172c4f6f3649ca0031ee8c59ea3a7a411516964fc66bf8389a8

SHA512
ed0dac4b45902e0ccc487c8b760e970a3319df55cb29e63efa8c587f066190328523073eb771893d36e24b2df7446502e18149c8d354d047451195eeed33a5a6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
e8e61070fcbd29f4723d88095732cfc1

SHA1
503fbd1dfa19d2bd3bc4f27e56f16adec4d1831b

SHA256
2a87f276e93d1d86a5e7de445b22f50f7b6580e25eea9186fb8afb20775ceaa8

SHA512
662c8adc7faf642b8762e878bab0385818adadd60814318913d60d1728bb43aa06d61878f1b80fccb75ecea67b083572aabb623c0f7818dac787bdbc64d3bffa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
91dedd496f59101b46731adeb88317ef

SHA1
bf2edc01c7cbae6c3bf70e22924865cb2579f2bc

SHA256
dd5cd85ff4931349c61831dbf41fc9bfd75fb0401679c64957f206776eea9890

SHA512
cfabf489910d06d9e7819cce89fb63a510f09400c8b4b9fd22e3f9900b0a9b54900aede6018d4f6c82b4c01cddce10cad3dd3a53baea3e85ff31b0ff354c1d16

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cc85157dd0748b8030f9a446a6af1921

SHA1
bddf2b2e7abb47c3b216c49d50cb9b7dafcf04e5

SHA256
af2a10e93ce4edfbccb13e08c5cac018be907404e30375ff37ac212a88930188

SHA512
371e0f3cb3260a259c9276c46d586f5a0c76c3bf1afea7e7354e4a0c0c21096e83a19096dc0e84a89fce343a8452db569e134664356ab61b434e7ac95c6efdd4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b03d4294a766cf426bbf50ffb70d0bea

SHA1
6ca0beea1b522db247b03409541ba03b78e2ebd7

SHA256
97ff77c9620f14901bbcdef5119fda6e6b70b6285be44a51a4b30f30ba6d68d6

SHA512
4120e2a84c08aff4c549e9648a3de737286c19b75a515694b0844739a42c3889ad913b2c7434d5c88ed59f107dc3a345423ed081a43e9ac08b2afa7a492e0e7f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b340bbe92bac8efd008d4c60fd75c1e8

SHA1
39ea0aa6be0e8a333fc23840ec8ee234273e3b50

SHA256
aeeea777c7f53d469778621ca84b22dbd09e2e50ed2b47fd6890ca945b620c48

SHA512
5d77cab94117a6e830d62db11a37aa121cf82b1e1268b9727addef982e298bbdd6763877f44f667a3ff83938650bfa4ff3a9c415688be204dd61738f0fb6f3bd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7d272675d570d69e57fdfaa17b4e368b

SHA1
39c8dafa188dbf74f6cf99a49783537294287249

SHA256
725d831f64b6a28b7bee2c92e94fd5701bca7182fe7b18b88e1c3ed833b22cef

SHA512
abd546af403b4bda7a32735ff5aad80212458125ab95e1115cac4fd442825d8154551dcae7156bb121efd95aae1efb109ec6f65464fc746beb524ad260fa460c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
9f97c422a4910833c634bf2a1de95b7b

SHA1
6676fa6a99bf1b4925f6ca7df14a3113df31c530

SHA256
8a846e774df3cb287cbf773235e9c6fd7569dea965408101dc27673791ac7f86

SHA512
66a7a4357fbe3dca1765d9350e22e59202181c70eff7424819f70e1d811ebc023418fe825e316410f5d2d7a068bc9240e4f698771cf29f6d78905a5ad9df3564

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fdbd034a9ad09a2114e111d835aec9ef

SHA1
70d0ac3b3655dfbbfac1066bea3da64faee568f0

SHA256
fcf79b022bd83448335a9ce6b681ff3c0172d8c4921413bf33f2150c072663f5

SHA512
589af3cb50c325fd33ffc212a40236b80bcbc056c28abb6995cc484b60e311f4a116e6f65d8fe3bf03cf86604ebc718a123509ca7c7c7dadb9bfdc54f3351c4f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
407f8fa988d4bad46b3dc10edc68b118

SHA1
11aaa438efa7d9ad2ab0ce9894208197f5541ace

SHA256
220cef7f6149e7db2f77eaa780f76516add120c0a3dddb109639443bc42b9e6a

SHA512
4d581281f975f3c21662728ba5d2c756bc4816099fb44a28e9fc0a41f648cb4bcfe081174931913a17ee4eda43f227bed474e141e1d1e0f3aa6f6ab07efb0c16

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1c8912198192c52875ab0ec7fdbd1b11

SHA1
061c26ff9af7777adeef6d4072e6cd88caa45836

SHA256
e37eadce4acd635518d27e669bbebbf8466bc343f12973be01aba9c23266cc21

SHA512
e87d3e0786f0e4012f89f24626e7a5346b0a6667f29f3fb1a84d7e0c634c8d9fa7cfd7e5262077bf8f196b1f9ffbf562653ef4a768d9713f0d52d22eaeb81a53

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
239d5ae3c98dbb6d21016f668eb31a1b

SHA1
eeb1aea5ed97776b1ec6876d66ed305c591c6373

SHA256
0da17aa4691d7279411e6ffd2442d00f9274e78fbb9b35443fb02ef362d0b23c

SHA512
ba2fe051dfb1e69a5e55533d4dc0045db3f14dacbdd0f8d9ff4adbf3325b12e64b0b8f00c4d66179a4d2d4f1d4ea5538545fc4a169d5357f65047828999b3dbf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3c8d7820da689c0d9f17fcbefe9883fb

SHA1
e6a9b6db66f0b87e98dba5238cc97e42b27ad51b

SHA256
b314fdbc6615f48174c0744f33056c0c9baa87726543dcf32202fd987a67cdc6

SHA512
dd6cb7a96b53ed71babd11a10a1573bfbd60d7f8e3f21a821f64a6240cc36aa3c1e8995381420d26ab2233b93d545bbafcf19370ea7f68f6cf9e19c577df93ac

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
008a3f2eeb04d5c2330834198f56348f

SHA1
5c73a299744af7529ada2be6fbc5ad98b2c1efca

SHA256
b824a6fd398d1e741d6fc096ac6158c03b98eb005690ef460ee92dac8b7cbf71

SHA512
77d683d3ad15f54e8112ef84289738d0982b0f26939ce436433e4468a9352735eb590f7e696c43abc963d2eae9eaa414e8664f12462b2b92e73a4920db7532d6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8f6495e4940c9ce1f7c859cdce8f3a35

SHA1
f0d9f13802265d7596791243837859d12cec9779

SHA256
75da7f59f46b12ce2ac20612534e8bf4b6a9d4cab3f434c117350d172341cfdd

SHA512
a685d1815ee7e2279fbfe3609dfc7716159fa24fd6c37737c1b2321c1ee45a105f62538da291fb4280bd33a2fccac247620238dd86c40c0186b20749432aaefb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
79dc97c2f4799edcb69cfb29e83523a4

SHA1
573765bf0e0e869c768136555b585ab140890268

SHA256
ca6518638684aadc4b4a8387688aa134c7f98eaa922397b5e212d730dc5fd823

SHA512
ee14095b0b3600169294a64b160cbd45963b2e307e7c9f9d9c39960e900f361be91ad6433682ef06f380c55596edff4c30e43a3afaf8c593881d427ec9a91e82

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f7e513aa742ea613547630a3a9146965

SHA1
43365db62075e5bc29c912f4529353782cf21307

SHA256
1d35c60addf394209e4fadb90206a4ff16453c98ccb8be8f411e11aa2c149c67

SHA512
392e7a937b120aab623b2c6103a258570deaa8b00a2de0e95cf01d02c75d9a68bfa54e0e7c379be25ee793157f233f2d2f70d85c005df960035678d3e871d117

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ed676badede4abe6bfb24560e0188c63

SHA1
6eecf66885f25a32f3032da858c879790416625d

SHA256
cbfb46487d1f11cfa9e32a425c55933d3d68d4c499d499845622b36b53af47a4

SHA512
a322ff39ff2ff080c048f9e04580f561235f930decf5572579e11489a922974f15175756131c980e6f1fde8df2d74e211e3266ce94a62d6c91bbf1cb945f090c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
499803fd6334f8a82637e27265f8eb21

SHA1
6f670bed981225e551c0a84894a4ae0874a62fe9

SHA256
85f2f34b7c9a9544e761e0247af03af541ae171965b5f5b9d9f35e7f592c8e4b

SHA512
5516ee6ce6990f5013f0601c0da12c01b512fa8657e3c0b039fd595edabd41263c9f2628aeaf9c5e0e6cd0c7f0bdc954cacc0eb2446a6de2b269107716c6c23c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e8f5eab5b1f849990beccc60517264e9

SHA1
ad12870ddb03173613ebda3d2fd8e44f94e3a76a

SHA256
efe27be13f59bed442b0cc7abb1cecf45ca01a92174c9ef0e314dd5449fb0936

SHA512
91d440957b9275921fb448b71143982766c1926088e1fc14dfbafd3b15f74cb49a59c13b2df3bdc069747afa548dfc84da27f21783afae16bada752aa82ef81a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
45a74aa598ace41a0a016e266039cf29

SHA1
c251bec771dc37437f368d08764b0f15f58c0961

SHA256
b2e2f1512bd651328bbd42c05f69a307eb3860f1f917ff649e5cdfa00d03d3bc

SHA512
c533695640380ea2313c312fb7d3464d8b7c540d4d24c2c7bfc3fefe13b6f1e8073f6c72e08a33435bcc0637b1eb34ef6a431e0a6784511c99a03c5b16fac236

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
64683c01c67ac653d1a0afa177617b87

SHA1
51f948ba40832ca010a507ed7fcd9972c2c9ab69

SHA256
7aabea595ffca7ed698c1944393f33c29a7281c662fc1a13db3d3896e345d62c

SHA512
794dd51a11d85d0b8ea1c405feeafce74d766e8f7c26ada1662bd58dccedf9fa9c7c60c8f4efc523455b78dbe63c81293c51464405b78de49a46d88fc382cea9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
701631ad98972387e2ee86226e3292d6

SHA1
a44baec03201c07b3f4e646f98d56e5cc40328cc

SHA256
1cd944491fd35520fba457d7ba60ed56f4e5551244e4a1ca417468298c4ef86f

SHA512
5b7f1e4a427d65aa7f4368c6890d760b397dd4678cbfa29d8365d4f88e0a21f1e94e0f275d3f7043d0ae2acba6d3583f59d23ce323a68edbf7a6b3203aab792c

Download Submit
memory/512-152-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/744-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/844-37-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/844-56-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/844-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/844-43-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/844-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1560-96-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1560-87-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2020-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2020-409-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2020-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2020-22-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/2356-269-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2408-150-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/2488-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2488-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2576-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2732-53-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2732-579-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2732-54-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2732-47-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2820-270-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2948-581-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2948-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2948-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2948-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3012-0-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/3012-1-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/3012-7-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/3012-6-0x0000000000830000-0x0000000000897000-memory.dmp

Filesize
412KB

Download
memory/3012-166-0x0000000000400000-0x000000000054A000-memory.dmp

Filesize
1.3MB

Download
memory/3236-151-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3392-153-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3568-268-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/3724-267-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/4016-274-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4016-603-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4032-73-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4032-79-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4032-83-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4032-72-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4032-85-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4284-266-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4576-604-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4576-309-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4876-33-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4876-25-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4876-31-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/5080-167-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download