a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
Size

1.6MB
MD5

86fcaabeee9da97ecad4f4fc0dfa17fc
SHA1

01d152202ac8f8654e6a5bfedc2806125f7a0050
SHA256

a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58
SHA512

8df2e6d906a952396f450a384b937ce67ec0ac849332f72467994c0e060887c62ce6d12588ed3106756c3e05cf71a836af9902888c4013e2e4a5381754528ff0
SSDEEP

24576:EP5qkoHgyeLThUwt2rR8FfBhRJUEbDk1ulUh:jgpLt2r4PRSEk1ul

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3844	alg.exe
4016	DiagnosticsHub.StandardCollector.Service.exe
244	fxssvc.exe
4776	elevation_service.exe
2192	elevation_service.exe
736	maintenanceservice.exe
4760	msdtc.exe
1500	OSE.EXE
2568	PerceptionSimulationService.exe
732	perfhost.exe
2260	locator.exe
4552	SensorDataService.exe
2032	snmptrap.exe
5060	spectrum.exe
4532	ssh-agent.exe
4328	TieringEngineService.exe
2940	AgentService.exe
1652	vds.exe
4400	vssvc.exe
4504	wbengine.exe
5048	WmiApSrv.exe
540	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7a6b4de120b56551.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\locator.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\System32\vds.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\javaws.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1df8d8a6cfeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071e57c8d6cfeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fb4e38a6cfeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbdaea8a6cfeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006da4b18a6cfeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b30ade8b6cfeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d743718a6cfeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000908cdc8a6cfeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4016	DiagnosticsHub.StandardCollector.Service.exe
4016	DiagnosticsHub.StandardCollector.Service.exe
4016	DiagnosticsHub.StandardCollector.Service.exe
4016	DiagnosticsHub.StandardCollector.Service.exe
4016	DiagnosticsHub.StandardCollector.Service.exe
4016	DiagnosticsHub.StandardCollector.Service.exe
4016	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4904	a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
Token: SeAuditPrivilege	244	fxssvc.exe
Token: SeRestorePrivilege	4328	TieringEngineService.exe
Token: SeManageVolumePrivilege	4328	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2940	AgentService.exe
Token: SeBackupPrivilege	4400	vssvc.exe
Token: SeRestorePrivilege	4400	vssvc.exe
Token: SeAuditPrivilege	4400	vssvc.exe
Token: SeBackupPrivilege	4504	wbengine.exe
Token: SeRestorePrivilege	4504	wbengine.exe
Token: SeSecurityPrivilege	4504	wbengine.exe
Token: 33	540	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	540	SearchIndexer.exe
Token: SeDebugPrivilege	3844	alg.exe
Token: SeDebugPrivilege	3844	alg.exe
Token: SeDebugPrivilege	3844	alg.exe
Token: SeDebugPrivilege	4016	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2304	540	SearchIndexer.exe	112
PID 540 wrote to memory of 2304	540	SearchIndexer.exe	112
PID 540 wrote to memory of 3356	540	SearchIndexer.exe	113
PID 540 wrote to memory of 3356	540	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe
"C:\Users\Admin\AppData\Local\Temp\a80833ab8ba2fe8af4c13b370c0d81bf0a939acc45416de8f40932c7188eca58.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4904

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4188

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2192

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:736

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4760

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1500

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4552

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5060

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3416

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4504

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2304
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
320b2aaafa21e039c4835c607145095c

SHA1
33b00709e6c5143e9bbdd6c281e8656f345784c2

SHA256
b40561f93eee3c04d84fe7bf70b52c911a215bc55c926abd8c95b05894011474

SHA512
900e1c9d052007f7c9f13f51cb9129d797f9dd276fc5623892fdc4e436a89799ed5857eab47c61db15c7f26188aa8c1b8ef0ddde7475c1f027c0edffdd89cad4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
1e65da33c0788dba5ea23af00536ee95

SHA1
2341abbe5f2a2559c5bda2a4f9f26229129c17f9

SHA256
5a687d8a4eb0a8552e5f5b41346d632d2ecb721fe8357dafea939942029a902a

SHA512
e1c7220e64bc4150bbf6e6ab78ac53ebee2d8d74f78eecacbc8056a1135741e1deee381e9fa14ef9a24550bc17fa23e8ccff295912a201687d5e5228caa486b7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
5518ea58b1eaff42f7e26956d271d753

SHA1
1b17c985b7e9d9e1bcc606773b98c48c304ab9b3

SHA256
28d20dc18c01401c7ad89f31e2a246931c1dbefc502a8759d6ae58c77e37223b

SHA512
150fc72ea5a4a1b06b4ba597f9c61573d4fea48178e15038d5aecec3a7d0b4cbaf7a6c958feb92e3c3716a4e8932c74d3504e1593785b4fb337dbc12588d14b3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
ac45b41be415c6e708307d0ee088613d

SHA1
867d056764df430638659d4bbab986a5ce09d1bb

SHA256
d2204da09355cdddc8b58ab0973a9625d2a9e2c98d4118e57bd6e9dddb6e1029

SHA512
38eb1ac3d12a18ce43546084c82db979f16db2f499f1ed1d6874898424d6c75dd7315031ddbb1c04b238025a32c1926eb3d833c496690400804323f02569e69f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7278eb14f5b8cb4c03dd750c84e8f7c1

SHA1
c50137a705460e91247beeeebadf2bd18c236602

SHA256
2af5d88ac38616265366c143e22c91ae792078271ea52045234873100c8ad6e6

SHA512
51f801bed7d110d986f7ea3a38579959f3fcdb2295cc0d472991e8d04462f345fa6628513cbaeb4ceb6801cb8b1563175f9d3c9ebddca3fdebcdf85281449a65

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
72efd30c3b5fa5ebbe5ead9ad27fe170

SHA1
840ab857c683b155f737cf8663c19545fe457a50

SHA256
4b42240787b28655975062a3eb7a83aaa7c248a4e185dab7416e71128c8d41e1

SHA512
b5ed4525e66940b760ce9a59a3916f0238ea7f50b513e5607b91bc3406023aba938f0247afff767db531341a21ab32a4e4f041fa3c70354d90ac13e6cb84f016

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
47cf940b9184b91c924d947159b374c3

SHA1
31666f9a54a6c10ea78b314cc62b234e05afe1d2

SHA256
7b68639993e6435b185d4ae1f98d04a3f3061e2d1ae86e4ff72868fa40866faf

SHA512
310d5cd2236fb4d5e56cf5dc9dcb23d184b23a9c03f9d1db7b7f8243a2bf989f2f82cf32279d4cee35a8ea0ee3cb442c1d9b32d1895ef7ff0b77f20f781cd538

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5ba9ca5c815039b2b2693ea7e8d532a6

SHA1
c6679bc6a09d2f9d3bc79bce7db3e9e7dd346981

SHA256
f4af8f27b8b18c34c0fd752a03137705f91ee7e6fa536d9adb5b13ab273db2dc

SHA512
7346ad59fd8884f6c2753a1e91fa64e6090914f1be5fe9e4f7a66df8abf114611236229228069858f4086efb091e04e68d19852bb1755e14a36ce14867e183f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a1ceeef5ae34bcb6945c79db3a826242

SHA1
2e8870b9cd55e353ff67ad1936da953a77891573

SHA256
57297cc1aba6bf4dd7003b30296233fb3ea0e10bf2a912cebcfff0a16992beff

SHA512
58572e8584e91a3e28f3836ec9aa1f75dbeda4bbafdf221c47de18fca979e83231b3ad4124728ecc3f597c3b2f7c41d29f09d6261ee92172ae09bfa8b3960266

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c0dd31b804391eb89fccc9d19b67b675

SHA1
a3177377612ec97a8107c0cb83bbabceb16a4d64

SHA256
2c13c100d8d77d8dad8656f46ccc65c6bd4ca81baf3d74167d2f611d89395221

SHA512
8e91049de05635e87c5161a2745b08acc8a927945f0efdc65f7826d8c53db78e4e032d251ddaa9fc2f16da1c338c209328cf8dad18b8bf762dfbb550616ecad2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a5814c0c4494359820ca6497d523705e

SHA1
19621f9b617dd0ec895d5931465883c435088005

SHA256
f4955881a718d796c192058ff732af5eb2f6028506042bd04f5315818c329947

SHA512
2daaa557bcd393098bb31a34fab54b3c3f7e2103e30334ba84247c0664a7ec5012e2f64994f73100c32122ebd56327409a48229306180abbca89c694788e1d17

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c236656ed58297a8675a1c3f2dcaff29

SHA1
ac35c68f05ce25e8cb025082bbd0ab3056223fcb

SHA256
6e63f7483da8b847351994ad3a9bb1a9cc455064335e0c85e3a00901eddc196e

SHA512
e23ecbd81c7cf6e2ba1af1fa22c7627954f98945f32437765e44f8a650b147145cc5c72a4f85f5097f3a2e029ba6058dc69239ed296552fb9424def56bace64f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cdca2338d4e3a7bc2c1394c62d7d41a0

SHA1
5699078c9244527826080ceacafd0cb2eb9fa63f

SHA256
40ae6499937dbe7514bdbc29bd4ddb4053a585335c15d723c3fb25d9469e5568

SHA512
4371185f7c2dd13725f40305ebbbf66df132fabc107463c5ecebbf37a7de21775dab469ae2fd1b32e8d9ec4e23cee56599e3f5475053ad0f662c74a2a471830d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9b00c9837c27093dc882248ddb2af0c8

SHA1
070f7307ff1fb0835fb02f8d217e15e802754ef6

SHA256
96deca08900985341a8a75bea6e70387110547c9e87add57456d3177a05646bb

SHA512
26c46551447c88ac8e092b8e8d0a248eec06edfc40a52eb0833f381b0de1d8b9681db17bb5fc18dddf2615aa0b5cb7de3ffd1a35b4bd16b22c0629b2f2233768

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
8449fb464b586cd5818c19683770caca

SHA1
d07f3739d8af0990f96fc05c0a6cc9d45980d306

SHA256
8af83a87a6caab6de3ebf837e680f77a6c7430c9770d8dc66e71a5c8b3c57732

SHA512
14212e692abb2d4f3465e038ec1c18fbd9a9a24d9711e1f8cbcac7cb3e6c854532f1442f07a13ac52b79e396452d3fc08aadded8b65588374bf70bf33adb6363

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
0122f393f7d4ef42253356602675b768

SHA1
7b476d3e775d46f77c90842e7e98c90e3dd55b87

SHA256
7ffffafca7083973a2a3733371a56b09828c4a5856e61c5daac84c2454e3e118

SHA512
58ba542fc33227b977dd8314d1950bc0ca86de2f603158771b24088388309c8cd5081ce07825be7199ab87d60b756d9f7dac381c93ff1bf913478b1ab3d76f82

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
bc57b596f7e280bb4113a8933d6533fb

SHA1
2c911f74b1a77982e89c9f399f0d710347b95753

SHA256
c4eb89a6437345c7886e76804fb63cdd186adb991553118b1e5b709503dbb52c

SHA512
d4d518dc16fe4e52ba16cd10082a4bbc048422ba57a36c13f7da124cbcb64ad77b4a87ae800df633b7686b7b6cbe6cb624c03aef91be43485b79262b2f83547d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0a9279b1ab4f4d34ebbc4b4f85d6eea5

SHA1
01ddb8f202604c559a15ee30ad433f637721935f

SHA256
913232df2384aa71f2f1e89d67b25f84ca549343e18d8e1f3a14e5d5f1b9e2fe

SHA512
4a5bc390a8ddd014a3df7aa53ed309bc94cb9a95ac6d5606033215a3f4a3ff37f0149511fae8922f44d3f35aa639990c9db48bfbc03ef2fdb6704f4192f71d6b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
f0891d323a66a4426c309ffac3ae2fcb

SHA1
f49d1818f74564838bb8708be33da953cec3d827

SHA256
5af2ef5184f4bbdcebe0a0635c9b9ad4b80131df669882f8508bcb0d970844b1

SHA512
f62419679d055fc557a4ddee81aeb960e3dd4886c97169ba01a58c00a957a44105e7ab10a557682be50d71d454674dd37ba41bdf97f9712f2e525b50a87e4a3a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
569f703038e45036b5dbbc76edbf0e95

SHA1
fb1dfefe3b12caba17b9a807802e8d70d18d625e

SHA256
577d55d76e9c3d929309c2ae73b4fe3be134acc86759f2fa4be1095ee0c5d124

SHA512
5b068b43196ae1fc82c5e9bf7e576768de35730677bd0607a28efb8765672c1c1be6fd114b6e05fd75fc9636a2f292f9859187590e31a8403e2423beeead863b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8073ab541042f52118db0efcea48f1bc

SHA1
8e4fb582ce9491550c3c53501f07a6d93b9685f9

SHA256
25e665b2475971c279a45d530f6835ac4eb970dbf19eeaf02cad2a5915933c3f

SHA512
eb5d52aaf69017cb25f2f8120814ebb73257c21cf0b6295c9885aea27288d7067c8fbcdb88fe56f1adef37b55202c3744dbfc34ffbe99ebaf3328318c3954483

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
12ef949ceba0c04fb8f741c31c89b9d4

SHA1
92195ee0634b669b698ae28f6f50309b8082b66b

SHA256
fc2e0b685ada2cb6d83023ac3552db47d73e584f75f21aec9a738286ee83fdbb

SHA512
76b077738f3bfe08d1865b2429137782b2ae8ee5ec2feb3d29c404f001858bf624ec9cd86e77461ae7a2f05b4ca64561ff48e1b4e2dd92d6444170d2a05e1f09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b5ac4d0088a62ff71c7b45615807d52e

SHA1
e7510292ab4aa727beda392f21905815fadc69af

SHA256
819c3ae7b15ff80b60a0cd0ea593c2bc120fb4249f3585d27202b47452e8bc85

SHA512
92d0ffd18c9819679e3079781eadf18099e9130faf861f40558d6cfd0e8b95107c29ac3d6b95a90b645627d439a4c2052cbdb48bf97c35a41a870d638dc4963a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2355b8b34a9d46332c6b8296d5478937

SHA1
29baf1beb22265e5b5ba0aa47273f4ee7c89847f

SHA256
1e314a59cfe41cc63cf2a70742cd8d0f5454812850523e057a74e664867262d3

SHA512
b3046792d5c725d0a465c2fa46eb5266b937f4e5c8bc3792f12def25d101bc4d045dbe2836123ee0a543ce87f8e3cc703807f99461b6bc851e2b7da3158e9fba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
6e56e01cea116a0d7ddc911fb318e142

SHA1
1059297a492960694751ace27939f3e411f0f968

SHA256
d3da5a77e0bfab017c9debc69a7c08fb17bb0f4624101aa39b8cc00dca53bbb0

SHA512
e04e035b04105d2cac35ee161cfc03a7d89946e5db58c96aabcb85fc38453dea5020728a33e58ce6003d5fdaeda476a7c750ddfbd2beb2fbca518314bc9b9481

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d867c73bddb3d117eedcd88416fad587

SHA1
31aa50b4f4c8dfb7f2b93c45327b4fa5c900847e

SHA256
826acf23b407472b2ada6e70b43582ba7201b93e7f2d3d15ab930b1c4b466441

SHA512
3eb82a870d73d23a71d60ce5e7160d4546b9a42b0f6f28c55508a0d1d7fd3f8fc3ffda8c4f847a8a42da2681c8279396005596a690c766aa943af172102bd2a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4e18e50b1449e3788f7b7bc14044d779

SHA1
5b6a47bcaf4a14a6f896de632bad95c0b6ae67d3

SHA256
396fb7d6b224a89a6eafd72b366e5f0f69119540853a7a222a72f17b5b40c78f

SHA512
34f450714d93fe2979d4329a90ea141bca4d85df6b5aca1676f9d89e5f3c0ec87b69240fb0602c2d335fe4b26a6afeaace1ebd9d98b2e6fb307fd413ba841b01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
4e477168fc16598a22689fce67bc0bdb

SHA1
367b23c042241687bfeee2f1c93e79f8296e64fe

SHA256
ba4b2f19bf5dab8016380c6bb7e103eef4479bed4de47da3586fb5b18d9baa23

SHA512
519c9181ebecd98d760743a0a335a105d435d1a5eddd5b4df207fbbe64985825c6f7b83c4c884366cfd2faa4abf3d5c1c1f8ef6713fd1c5c95a851dfdded1879

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
e77e25821a699301784f1e07fb6b79bf

SHA1
a46e8134c8a02cbf32b7458191b0110cdb9820be

SHA256
6233bb1acabedc42e501b2a13cc698cb83bb8a3aac371d886e1c8330c1cee874

SHA512
ac521a8c541e9e044b9be7709c712028888309944529e02fc49ab88e49b1197cf1381154fa9be7ec56dbd3d9d54aa62383ebcf55d50ec61f3f5503ae6cd3b5ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7f774f8479791cc1e1229bdfd136c9f2

SHA1
cac1654c0cd1de3b85c8993e5b837b37af048cc2

SHA256
9cd2da71cd42f35174ea33d423beac63368869b3e29a77c5c161554e39ba083d

SHA512
522e7192a7103c1613816d00b678bd5abbc900a6702ba8bb3b68f259197b4557cecf9c2edd4a3c0b4bb00d368fbefda111545cd50c7394ae07b87b54b4560093

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
ea0e46f5cf69edbf524c5fa8fc6a7685

SHA1
933e0e56892edaeb787b1b71381e6c7e074c39de

SHA256
31142b677ce35df0291ab5dc92f5f2bc3684d4c24ca976ab97eeb95003389147

SHA512
12740e67ba20ec266f91a394cb9ff273666a6215edecc03a8b5a6f23d728cb84436b85b446fbb5c069405ec773f6322b5af577d8a7ab2462eee0fcfef803826c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6680b74b86bb68b92ba722d3b6854980

SHA1
506cfadb1844d4ce6171926be13dc1ddc747a428

SHA256
72248108c7064793bedeac4b31e0221208948c0305266df637b77ebdd037ca58

SHA512
a646a3bc3e2207d75ec0e1a12fff03710483a10d8113e5f006b831b92b1953fd1c421fc9f436931afa24236b132021890ef87a26cb18650ec2031fbdd80b1fc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
230fd1995ea56aa1b4416ccc38271008

SHA1
3352b5ca360a1df1ff646d9facf68086a2627f38

SHA256
83321ab13883147ceca0d1c43332f2e61037e27ec7337cedf96bca202e7f30cf

SHA512
bbccc1abe9b96f6b8b94dd64d7726120b8a58b7eb87294d2cc3dfea4cdf82f1242679eacc705e451cbae142ed82a59ed5da3df934d85a5519306b6a3dde6f1ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
a350e9dfd9b48dd4cf12d6e6585dc143

SHA1
a166b94201e57dd0c628156e6e55d43a936bc31a

SHA256
b9d8f1c865877ed93b53605c6c2250fcd24c8dc46ee59604974f6a0257c72dde

SHA512
37e49bea4373cd11c88704ab978cca9782b2fbdd9a2bf9871769104c81c56c75132887bada3c3c939c8aed247db0c2eebb69cb12ba2d90aba1cc119ceabc3161

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4686d05e03c1778bc180f2cf3f618ab7

SHA1
00b848f62a385088825ab8e0fb14ae6bc5c15452

SHA256
18da8af974032ec37ad0d4d78b6324225d648298c054ff29291ae34f91423515

SHA512
34eaff3242f2756f0c3a1b46df296da3e84a6fda7093a3960b1851acef70344b3c7a0c17e2581b7f661fae37d60de071bf2a480d05ce0df7fb4ae33338c72084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4a4a77215cd22bb3c1b8022b51610da6

SHA1
931ee40d78dfaf13ba0debb16855839adaaa6b2e

SHA256
b1ad547c6a31690260d0e77b29f0a17c44b72a7f1b5b7d6b384e466e9d6d208f

SHA512
3bee3b76e86e040addf975a6c04e368c5ad176e06553023d97dcf273adbfbc449f2de67d0c8a934b78b66949f6c32e71efe70a94c275c71c9ecf1ebb0e66cbe9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
54c9add215c33ccdc5e960f00c43e29f

SHA1
a965267a2a43ab486e5f077d3e6c9643cf018807

SHA256
d8bc7fe3d8450306c94cbdc05ac66735c9851dace107cbca7413baf76bfab9e9

SHA512
85898b1b79ee9e036878f2f2ad1c48c5266c43094ce8d1180a589f6a3c62fc40861ce0db68d74de37c9fefa364faeb4327a29809a4a0f1ed77ed5411e741db14

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
44b4a7dd9d15c15f0729a2748acf10c8

SHA1
89878961f5c65b749d23619c2fd00d3cd8d6b737

SHA256
98e165cffebffa7926d3d913cc7fa70163044312b960b253d778a2aa0967ad02

SHA512
e3205e9a076d9070dafa650286ce162272249cb2c44168f9fddaf413b4a656c39bdfd545aa56e10c48a24823116f95c09763215a295d7eaeea2ac4038fd54959

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0c91df8a7ab82ae468331994570de21f

SHA1
0a2c00fc8cdc85a3791ee3577d9c0ae3dac1e5e7

SHA256
5885fc5eac525cbfefc7d9a2b945d3a39745360eb78ff3b647858a9cfdcfd09f

SHA512
daab01713dfed4322dca4428752bb35635974292e315a9ef9a261d9de04d4463143df508c237aa459a3b0d346442316bf090729da7ea571438e1580029eba8d3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
35d46922e27b2f7906faf2692e3a9a83

SHA1
ba2051912e9505fad53f300a031848390f14ae6a

SHA256
dd0d625ee503b410ff3c489d806db8f390da419d1622b186580354cce6df4724

SHA512
3b5a9187db553034f0cd41c96823362e6dd11bc2e6216de4e2ee0f80ac963423771a6109155f6c8321a81ffc30138181c04068132d068e7d4a47169257254bc4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e3ffe9829ee95ccfb9372ed943795761

SHA1
0755947f6c1d8c633cdbbae6f92a5b4887e24cd2

SHA256
83af216e43a636b7c32896ae9ec3fcc1e6f1f479aafa42f141a2a54ebf57df20

SHA512
bf9cbf42a2a3ce9f05a9eb44351fc9811fbd78ddf9c24d652e051865364ac902e19e50addc505e7d71f52bba0ee3679fb55791eed9b674ed0a18228d791d6be5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5044122c969a02c39e64de4feeae9378

SHA1
8355ace8ab80fa51b8b8fe58205591ceb5d5e368

SHA256
09dd44bb57131ebad93c8ff15f0f0792125b6c38c164e130ca0c516e33756653

SHA512
4af166bddfbd830daab6174ebf0dd46877e0b23a5b5ec36ded0f9d1b3a3c9a3c350c70cbbb1cd866b734e8ab79a825a1c47ea7eb4b217b31ac70bdeef5d5ecd0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fbc3de865c5012cf7f4db67554c642ad

SHA1
7b9902b69a208c196f51caf4671e832f3e270354

SHA256
d78a5ef69e5fa52acc6b8449832ed86e66a22af6cddc034a84d47d13ad8ebbfa

SHA512
17e2c779e5a6852542462e15967b09b0a0d1f1e3ac576a5a27c779a1c0d89d5eb198784ff0a3533dc47f883ed4b98dcc35e350d9cbbbf38fb38bbeb8110b1543

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b72a278697433b2687624c06766cbf41

SHA1
169701f65fab80d033c31f9f82b72185becbbcca

SHA256
edaf78b67ba7990cb251758860d67a2134b656a95b27b78e40170255d04f9db7

SHA512
ae42f8c3d39eb690c0328c3ad53e2051f072befd20df4bed5cd1e2f867b54dea80adce92d7efc2849d0533f80ded9aa5731fe5a328c858ec9bc4f1ea969c5d51

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
156e651eb16aa87c878e8006d3651b73

SHA1
e9e2fd55eee59d8b5a39f66e839617c34f136649

SHA256
9cf5d5c88784ae40c0d95a5adb7d8abd0395740e81e39f5fb4265221e471e72b

SHA512
7b2bd3f3cd0383c53c26d1d71d6fff96b70b5bd8509b527e0becb7fe3fae04338a4a2aea0af3275289bcad6f53c0a6ef0026584faa5f2988062df762c74ff567

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1d49299300650067a439b808302fc54c

SHA1
85bcef0e97c7a34051a5a4074ab7bd0a98c3a899

SHA256
8aeae58e94d5cc8b8d16b58c757b06b6cb942ff410a99815f08889af02a64cf3

SHA512
00f2b51a57489952d145198bb203389d0d140dccbe80ad2958a5f8f6ec6112dc8ca1cf67123f450b9073f9d51b4f631241782b768574151b4e796c3cc7801d49

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6d3d3a444ed7efaafc1beebe989ff943

SHA1
0fae5e97f74f838d535cb0653b250da04cf0f462

SHA256
2c31e78e4167231096d116c947401c74cb501b78a620993bf2a8125d26209ec8

SHA512
8f06029eb491894dea49fc3987d3787e2af2c4356f06cc6b0de19ec40ed33acf0c4b6364a9ef14983ad69605cd046a98b333a082893cb74d36f507689e9e5742

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
011397efe3f1e64fc4f0a1389b22f483

SHA1
9b9a8be6e126a5c460cdf4241a274ffeedb539e8

SHA256
810e933708ad216f86b9e1baa8f15f7a716db851b7bfbcd42fd972bcc6445b43

SHA512
a001d8e401b9ff9772adc2757b6b152722f97df920a51d27e9c99a19962237924d0ee3346f3de83e7cdcb8f619ed0fc2a22e10bbd49a8542b3c77ebbb9a4b036

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e586e78963d2869dff7404a1ac5eb76e

SHA1
0d646e1b2a88fd4147d6538b4558c4650398b821

SHA256
6df06d2b1811c0eb6583b6e8988321f32c4e7cbb1c90fd11df26f817c2732923

SHA512
eba350ad59606fb0fc43fe26eb9f36d200c4c9c1bc9f8615f3e12203ecd8b0b140bdfd2896430ccc7fe72e6abe360dbf02e27d7412ea6308fea95dbc4e8f17b9

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5fe61680b9c8d0bb64aeb7066359eb04

SHA1
15363ead2cb33d98661ccd578c0fd1916d81cfc7

SHA256
3f793b90aebb76619c59c90aba451bf1ff603998a79d6e761c1e484756689c1f

SHA512
1037007aad32dfd021bd227de2d701fd2512f7acf0dd59ea7bccf98f979cc2c318a31c960741d0a2ee0631beeebfe3c36f567e739a014bd8dde13a09d8ebf651

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
31ea43666913dd97294e447be332ccb6

SHA1
ac53d101a39b22ed79055fb03a640727f9c57bf9

SHA256
5f8622403b8d294e8f3598cbfc5395e2c3d9acacf35211874ddeb64dc5d682e3

SHA512
2e0e30e896a9e7113c90733e89fcb3005034f880ba14bc5572e62d149f6a781602135337c667409743ec6be2ecefdc9a8bad058c2f96e93b6543ddce4167d26c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5dab009de8cb85d6ed3b5203ed5908f8

SHA1
f7df23e561cc687dbeec44d2048d4104c04bc3f2

SHA256
f2d2f16195277cc8fc4fd5ccf3adc1ded6b9e315c423c728df794e404ae1850b

SHA512
504a570ade239824040f0ea7bc66e10a9399f70699c35b72423fc61156e1a7d2955b411059e592ecd0d1c5b97d6d2bc6794815d62eb028140fd8742711d50863

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
cebf4d2106041b54edc90d7d54ea9cb7

SHA1
52378e30259ec7260a116574e55252c2aea10934

SHA256
060382fc332d65e6d987d4e3b71ef286984b5f4f0b9b1a1b03005db691998bda

SHA512
6049f3e2fd51892c59757af45edcb138e197b7f4d644612f108ee4e5727f3fae6a751b38eb9787abed5715ea74b47cefb2ef31895dbde0ef58c37c5293ee1581

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
f938af8f542ab80b59be2468ecf1b614

SHA1
3a25b14c988ed7fb1640a38a86be8769d8bf18b6

SHA256
a4e6485f9b203ca22c79590035a2218ccd9a5711647ba51aa01ad942b7251ad1

SHA512
56cc52f3b183be7c1ce6398ed80e506c06a8a602baeba3c1993f874e35f7e6049da980d396cb2e1a7d0fd6f3e55038a4cc084da7114c0fc84077838fababe206

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cb0837b3b9a3c5017680cf6585eda6a4

SHA1
3795aa30e8acf202ea600471bd746d257315362e

SHA256
d0ebf09ecb60262a91e24de46b620b18b3e323276c4e7c614105bace163723f2

SHA512
7f5a7d5c0e8dd38aecb29f60a6ea70d71e9fe10dc25465752963feddce38b77361b9da6a7bfe7ec94e3ce2f961b368f672fd949ba58ef53d8a1947f0e7cf046a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cd7dc3c8e21bd8fc592e34882277bc75

SHA1
4b2eb77ce050b32170713c44625bbfc8134f877d

SHA256
a783e32207a9c12171c043fb1980fec895434140f9ed9144a734f6ba012613f5

SHA512
2bf233278f124957adb9c98fc0011f6eb8c108492074c4cdb3f53d206b0977a1ab9c3e14078bc062173ffa2116a4261db511c88281bc1e0f89275d33c35f2443

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
eb3de4b38a8eb1545b7e002af97d55d9

SHA1
ffa8aa10cf052113752706b162ce846763992fe8

SHA256
1324b551403a2e240056c89eee4d84ff0e35a0ba06d9e32490ef7214aba80c1e

SHA512
93b2cfa4886e97a58ddc3080697b14205a4ff0ca6c37fd492940671f9ed491374bec904b56a96d9bf69f70fecf47369a48a12e42b200bbe4816cad8bf787698b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4b9bfd7a64dc84277171086d8374c5a7

SHA1
746668fff557a06d9c39c6d3474c8c01c2bc2f04

SHA256
dc98337f2b8d152fed9fa78e0e9dfcf93ebd9f28eb1327ea2a5f74d86c90170a

SHA512
6d5906851489cefe0a891246e0a7e3aed7ed8d3485377798a7b939f06f6031a3edc82967a9d27e04e7fa48ce548821354c4cf34200112166ca9f8d65816bd35d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
dee99a8d16d6553d23151a5ecdd960e6

SHA1
2501ec911474522933a6e6433bf8eadc13cfba20

SHA256
1c00fb3b11283241ce02585cf6f6748b46cb599c629512f7043628814bd29d60

SHA512
f194077c6f2915187c05d10e11ae87c4f5cb0d1f49dba2a8be1f7316b850de94297d4fff2dfb28df0b397b75f41b74227ac7d2b63ebebf5b05e9de745960cef8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
08461c6629c9e47e9671f22d4b5463da

SHA1
0005248cf69bf62144cd256458ae19f64ce2d72a

SHA256
0ad662ac5a4352cec31a1f7a79128423f71a2454f841d7994deb2b85915dbbce

SHA512
42d7df59b860ecaabdab773c0cd61f877d0e0de556d72e68f567dae6311d5ba260c5df9db2be17cd31a45d42d9b59b08901d863d4dbbad1faaacb2930c034c53

Download Submit
memory/244-39-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/244-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/244-46-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/244-44-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/244-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/540-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/540-558-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/732-142-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/736-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/736-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/736-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/736-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1500-140-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1652-519-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1652-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2032-405-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2032-167-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2192-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2192-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2192-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2192-228-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2260-143-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2260-251-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2568-141-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2940-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2940-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3844-158-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3844-20-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3844-14-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3844-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4016-27-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4016-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4016-181-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4016-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4328-194-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4328-471-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4400-232-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4400-520-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4504-553-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4504-252-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4532-182-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4532-467-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4552-556-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4552-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4552-267-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4760-88-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4760-144-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4776-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4776-219-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4776-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4776-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4904-477-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/4904-0-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4904-6-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/4904-475-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4904-9-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4904-79-0x0000000140000000-0x000000014019F000-memory.dmp

Filesize
1.6MB

Download
memory/5048-264-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5048-557-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5060-447-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5060-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download