6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2024, 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
Size

1.5MB
MD5

72cd395f6f24e5c1ff93d8bd055a46d0
SHA1

3320103054ed3c51f96b07bd67727162751c4394
SHA256

6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1
SHA512

3a642ce9cbb87b1ff90ae0274bc4072dfc6336050de2a44251d925d77e8a7c7f8d3146822b92f0d58c726c603063b90640cb8011a907e7804e9ce9e38fc1ae66
SSDEEP

24576:bz2DW58NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:FgDUYmvFur31yAipQCtXxc0H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2424	alg.exe
2160	DiagnosticsHub.StandardCollector.Service.exe
1156	fxssvc.exe
4824	elevation_service.exe
2000	elevation_service.exe
4412	maintenanceservice.exe
3324	msdtc.exe
1080	OSE.EXE
3996	PerceptionSimulationService.exe
3456	perfhost.exe
2780	locator.exe
4472	SensorDataService.exe
4644	snmptrap.exe
5000	spectrum.exe
3488	ssh-agent.exe
1248	TieringEngineService.exe
3232	AgentService.exe
1904	vds.exe
3684	vssvc.exe
3252	wbengine.exe
3972	WmiApSrv.exe
4268	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\System32\vds.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2ec8da07ffa85a2e.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\System32\alg.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f1616f47b14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007dae8ff47b14db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000018104f57b14db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4c2bef27b14db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2160	DiagnosticsHub.StandardCollector.Service.exe
2160	DiagnosticsHub.StandardCollector.Service.exe
2160	DiagnosticsHub.StandardCollector.Service.exe
2160	DiagnosticsHub.StandardCollector.Service.exe
2160	DiagnosticsHub.StandardCollector.Service.exe
2160	DiagnosticsHub.StandardCollector.Service.exe
2160	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4920	6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
Token: SeAuditPrivilege	1156	fxssvc.exe
Token: SeRestorePrivilege	1248	TieringEngineService.exe
Token: SeManageVolumePrivilege	1248	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3232	AgentService.exe
Token: SeBackupPrivilege	3684	vssvc.exe
Token: SeRestorePrivilege	3684	vssvc.exe
Token: SeAuditPrivilege	3684	vssvc.exe
Token: SeBackupPrivilege	3252	wbengine.exe
Token: SeRestorePrivilege	3252	wbengine.exe
Token: SeSecurityPrivilege	3252	wbengine.exe
Token: 33	4268	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4268	SearchIndexer.exe
Token: SeDebugPrivilege	2424	alg.exe
Token: SeDebugPrivilege	2424	alg.exe
Token: SeDebugPrivilege	2424	alg.exe
Token: SeDebugPrivilege	2160	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4268 wrote to memory of 4344	4268	SearchIndexer.exe	108
PID 4268 wrote to memory of 4344	4268	SearchIndexer.exe	108
PID 4268 wrote to memory of 4436	4268	SearchIndexer.exe	109
PID 4268 wrote to memory of 4436	4268	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe
"C:\Users\Admin\AppData\Local\Temp\6e8b053d91ab382894f50446372380d80f994bc279bca44302de8bbbbb4b0ee1N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:492

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2000

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3324

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3456

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2780

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4472

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5000

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3856

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4344
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4704f5664abe643aba7f98f40acf40b2

SHA1
c10710b5a03cb39bd37ff1088f232fca19c48cac

SHA256
3dc016e2fe3b4ea23e9234471fa90b83203df3d196c404560b8c744a130bf32e

SHA512
7958fdea2dfc15479d6f076eab8756e36ab1132ed5cd92c1691e6b93fe7200be94f19bc55370790745caab66516e4e2cf4c90aa7e9d9b4a183cea62ad32a9270

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
6ee8121ea138d60865c1d64120305050

SHA1
e41d02d6b1ca31adb51d2069aa07f740952fbaf6

SHA256
83408f90a5298142e127d61ea10edebc9af09385eb277065f1b8cf36029c511b

SHA512
2abeeebc1d634aa3c08a7641001b104290de20289e735367ba2156ec3f552e26dfa77a0da2a4aa5dd73bc6ae1799e269cb3b24a6cafa0040a25d8fede4be49c1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
310ac05d58ef0e9d69284522731ca4a0

SHA1
eb2ec47ad96796f5792b827517ebcbd54f22d0cf

SHA256
efe0356556939019ed069623c1326032a63023667984afc7155b317b7c380bb9

SHA512
c7a627a7be84da19de2c372b0a0d1842dfe961f8527133d74f5c6772232a46b8cca3bbdec66d4e6c39c9e3e83765cdbf6fa83d16ed48e25aec001e7712e3ed93

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
234d5a90e77d8be9844a8bf291e7562f

SHA1
d48895d68cf05b0fb6470b55f50504f9ad49deae

SHA256
218214c943cda127fa75aec399e940c4707725035d047044df32c3b6f54c9436

SHA512
4bdcef6d6b9aef5202bfd643706a666f5387fd89a65d9e94fd4dea4fbe699da0821f16277204bf4d189f275e4e2257ccb00a20b123d60f3d61780939ebe4d3da

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1075d14f72691e18c56cfe69b3e86bfe

SHA1
a228f7d72d075e610a37fc476cb684e03625d2fe

SHA256
ff3b8615d4934af486579bf490bff7fdf297f741102166896e4bd7244d043f8d

SHA512
e18e3dbc9c5edc9976ed2d3b381ce9954cf1357a5c63ee0b14b1ed41e42c058d814ab527dece3a93c95475332263057c291bf7ae4fed53e578f79e69e59785a0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
85aaea11f0676e62eee4735b73f44229

SHA1
b178e2ce07a3ca442b48c673fcef23283b36f102

SHA256
468440eb35c63d5c566bb4c190e720389dbf20290a7743a9549314c1d550e14d

SHA512
f0cfdadb67545a28a2e9b204984a4c27c9069a8900c22b4446fd3e65431f695ea36bf63ab4f97fa3c8ff8503a3d8547b2edf8eac68da4513b7f753c1a988de0a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
afa1438895785ad7c875c4464fbe931a

SHA1
925091ad9cef9c240b295614289b3a2966af2b45

SHA256
4ec0b361bd4cdcc15e2c299741ec87ee01daa75d561dd092b4aad77f28fd925f

SHA512
9842adb474ceee5be48d44b200b1fa7cd681654d8af0f2afe641da2d17f4ba5f2ea6b327e49be9c50cc0a3b8296ba0917f5f3086aa0c1d82b8d8d1a62a3e148f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bf62f583c41c10928e84001221ae9531

SHA1
27766027440a3ae2f1e8d4aa74adf16db568641d

SHA256
b2011a9318faf1ba557d36218201452f9ae6c19e54f873a60e9913211e060c1c

SHA512
950511a8da133efb21a2ccde18b95ac66c0fe50253722349e914b9a5058587824420ea06e9171956ef1cb40f583b03dcdcc2de9613208f6fa9ecad3c5edaad3b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
4db9827ae22435b4c1ecf4b1c6a8925d

SHA1
5f1b5dd4be3147155e0a3a3df3ba807b0d887b2c

SHA256
f1c11af228fa5cc8e01daca8349ebb81166f27951f1990ec52b2f1a21d9a4863

SHA512
c33c3165f3a2424a687ea720d01b8ee86fe8ae2053fc0927a248f15f3af99292eff7a91998333ba3203612187d5f05695e7f77b8e47cdef052470bdde076a0a5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
885c51d0be22fe259b0210fcdab225ec

SHA1
697cf61e2477492be9baec1b403d1d01ef12273d

SHA256
7e8415000041a5af355fcc8799820fdec9172fe8e3c9ade38a309cef5ea27242

SHA512
860831c5051443230ba749fca63aad36d7f390b5a9dabe91f2509f64b6ba307d0beb7aee2f2f3f22316064640562c812562e308103b1095f31c0ce8d7d2ecac2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7553c712a88b4f0713f92be3afa7e882

SHA1
77a585a9f3c3634caada8b13d9b809f556f2fce8

SHA256
8eba82f20bb91bb28b1c50e3a17a793012d94248ce63f8fb5ce584f286748fb2

SHA512
3b0eefe1c78fd46595511f60165f97db906ed860b380ddccef42e0d00f1c439783fc16f2c4f89084bfe891c6a0161256c62e4456832ea33cb0b3d7d81ee58a69

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8c787b689f57fdbc3c8ad98f5c443752

SHA1
0434cff550afdc6305f35ec526e77a84c23e0566

SHA256
f8277a66de75d9ef375d8cbfc9f8288a03961f696e1c019aeeb7542206ba93ed

SHA512
fa418ee76af91969d62f743e1fe8a4f015671e7d52c012b8fc6185577f47cb90f14fcf30426787db64345d2c5b5d7487f712a046585e3c5e74cbb0454baf832a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
7104d16fde8fe40763d34cc5f219d89d

SHA1
e91594513ea58af3a6cf95a9d87f0058a4103c75

SHA256
464a222d2b30d9f31052e6f074dc0f3aeed5047b3137a199b726466cd09c2f16

SHA512
70096857dc8796fb3bc93e257e6c54521c8c725ae9e4c8ce3d5b3f9610d1666d128cbaf3a044ffdedcbfe6fb02d5317c2a296a439eca102ea07cad73717eba76

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
39825d405d0580b41b9d97df83e04961

SHA1
a3afffea401502b1f9ce06742761749c98256e66

SHA256
f97142976de26b484ad9e753c22b0fe709285a138e4135dcd365e4c49e71eb66

SHA512
c3c686a7e154667dd23eaeec20d4178cd4ee11e230ca1fc99f585c6b4f3c5ac73263e9871808e94536d984fe9571ab1410d67feadaaa00aba9fe2e20c7864ac6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a628605abad5eb37fca6d94fe25a513e

SHA1
7255f65f61436cd0c996750e089d6c46ad3ce239

SHA256
a7c7fe1d9b9d8e45ef7fc8dfcab176d8baa6055c6fb85fc8501b8ce9f722ee0f

SHA512
5e1f7e2c9da93f8bf252237e5b1153e25208ba9620f9568f66379d33f73937db867662a16cbf8eb4e4fbf83e828e4da2034ec81f3209769b13b09e473b51de23

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
b2782f5283b1dc7c93568381116b70a5

SHA1
97d66f21036f807b4bb066c77ec717c71b41735b

SHA256
a5d9a9f4934ad85c567d590a6773b12be173b167c05fedf0f2a00575a07facc8

SHA512
e5aeae1ad1ba1d6658449a8b9338e869d1d82746f751e257d820c7137182c17f5c2f58ac150a8ba00d749e1974b57bd350840ef379b247d194ef5b35969d454f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
78cec130804a7227a384e61101b37a5b

SHA1
5594393402e73bccde947fa00213a35a040b9b4f

SHA256
1307d521cc4b43ae5255bb5c3a398e13388d1bb87facf2b4db05d9efa5e5065d

SHA512
6e16db85533431c1e7eac664697002b77aa56ad2ffc77d8b4d53737da583f1273c35569bc6757c97cd9ad8a5af231811b05d98022459501f9ad93de37308d556

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
cd0b32355f43ebd82662cee1038c7a1a

SHA1
aa86165aef5ade1843d70d4c6c524ea62fd2760c

SHA256
e98ede85984ca3729456bc9dd875bbf713b3c0679e2ecfab489b774d94d13ce2

SHA512
dccd46e1fbac8f9e3ec34693696d6936dddf40ce050c68ef458b70fac294dcbd69d7d59c7b615bbfe2ea37244608f104642d89d267b611b3adae421989384dfa

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ccafeb1fac1575fdab8be5dff6a497fd

SHA1
30c2fd4bc2c85506780ceda2714ec63a462f94f7

SHA256
a59a26c6acde2dc4a8c262ec4a27c89062075429039abea43ea32c76e9a24b5f

SHA512
b2d93a98197dcf8a71fb16126ec0c08897ffc61a51f4539f66129ef5afda32cd0dd2babb2f5f5f1078c167c16f4c2821dcb01371b22abf2fed2cb6a3a2ec76f1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7e8fc472a54e76cba4e0b72c15ae5709

SHA1
30af991863c24cdfd4400163ad28b3c60efd7497

SHA256
1800dce2391c6aa730a158e603f64adb664fb0653fc3ec41459f50076b3eadcf

SHA512
8314012fa941d218adcd5e46f192c69c8f72459fc4d4f5131d913c89d61ed1736258b065550a5966bbff9c1928ce9306812ad2422c874f6520ba7b0765e30ce4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
f0b67ec24b12d4cbd26065debde620f4

SHA1
d70c08e4382c93536ad7d473b80d78d346a9988b

SHA256
bb12517d64198dfcfca1cb78e8f204e332af337bddb364e95b21299b5a852eb3

SHA512
85b262222ac8b8855dd4190e9c5015dd04f76a468e2be4bc614d14449f9f897704f3ba6c063f25bc475408c46a59dde0fc0813a69509722358ac0464361b5c0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
2b1494cf9c73a91bb6a2fbfd78fdb74f

SHA1
f12ca2dc98fd6fa87a9a6cc00291a5801dcf619b

SHA256
e294f17c2ac018814a3eeb591b446fbe5344f1685099f93fcdaf176e9102fc04

SHA512
fa97d5deb41bbed63fb5686107869b62351f149e1b2e4f9f1e7edbefd7c701de189a06bc8720c062377d8e8d207632aeb05e806514e373cbbb1361601554d2fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
d4e80c566320ee235354b366a6fd2f93

SHA1
b25396303b1bc911301d7e18ce96ad7990b1d717

SHA256
7a4b2ea356359b58b7b866c7b5cedab19aa6e9ea878d6519382177d53bc6bf5c

SHA512
209897b1f33ceddceab424fe35ef4d4262e683dc1351981d465b5617570b462003586126169c2b8266a27bb15fe17e18dcc3e4f13c2c22148570f34d10236cfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
4b3327f963352cacc8fd75b0cc8192f1

SHA1
3c6ba59652a84b9475844ebce7acd1849eec9c96

SHA256
15c55dbb3ac219911a29447b2f8676ab6993042b8fb0560250e2414ff6db692d

SHA512
70d7b09074a13ba2ecdad86fd3ba99bc483c2ff0e4f79cb7672a95353be5820ce6c965ece415b7c1ae4d7011dfcb5766a3c6a998d0e351c4510c78e4a12d9ebf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2c931e81337ffd5a79f8aec83da27e0a

SHA1
2d62b561d643e70dfc4db2b31cec502aae21533c

SHA256
a63c574f5db69a5815c8b4747f032a1cdd352c920da6b465c87e1342c38e0c61

SHA512
e3f7f5402524578af8ea728b25df8a5c8a34373653f77d39bd5ba3a2da97d3034443702b691d589a5f7ea2534600f78a88cfa917f63e43f9cd954c4977908c3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
15a6ff36b2ac0d8244a8e339b5b15318

SHA1
b38c9f147f8f6692671ed57082e52a04745e45d5

SHA256
69cb6ebdfeacd957453c41149972d12f4a28542c484e0066412a9dcf84547748

SHA512
b85758f143cb7480d105138ab455f200cc924861432117308e6da46b85c6b987c75fb48538e726fe5f99b9d9d1b39eeeb2d960ab7b99464a861aab32d9cc4615

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
cb8ba754bc32f7087df5c34a38155521

SHA1
6d845b1eca8c15865c8021cb0f0627d727634e41

SHA256
ad4915a64fdfe95724b7a27a7bf409dbd26d9f5f4e7a24b28e16dc0e24e5310c

SHA512
a74f26d000411683ab1b3bd76c763607edda7fcad2caf239d87e0501b2fbed68a913c4a85615c51027ddd24561ac68369a3939fad7dbcf5afafca5aa67a0caeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
42b6ef9adc5742df22f8a90c3f6b3b1e

SHA1
eca2d6efd593a14801341dbd99160d815f58fbda

SHA256
a3eb66a8173cdc5b2f3ba1ce37acf0645fc85480555a1d461d4d41b48740a9e0

SHA512
a68c88c2e7f3dbad2bc4ff6aa94a1bc299c9f33ec12e7ab934ee958be7a196b192d76d7f987729521be9f8ba8c11a83a580a8730e8b9024d207a42ff108ad7fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
23854708714603bd575a48f9dbd3032c

SHA1
1b9bacb95674ab2e2a76d4131280507f9edbf7d3

SHA256
9c52529272d6c061c8f6df304f1d6467e28d452f1185319c21da973259766c2a

SHA512
8556916773f613c4467d6f027471f64876f3492e3a1a254723eba7f3f3f38a9611925c72bf7abacba39e7af1661c8033e58900ef20650d3c05d5a65379c4c67b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
34f2ce2507d5731049499c54d1e4f974

SHA1
ed0b6295886547073d2b88e46c54f55b282dde69

SHA256
913229ec97bcfff103a56a447926e29376a5f8596178b7f5fa9e79bb0291d4bf

SHA512
04bde34bd4a914a6c9ea2387480b11262b2184df9afdefd8a0a351c1524c74ec5acbb4ec9413d723202e10e5e52299b4a78008cb324a93e5520164116d591255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
56b573b5e50163331534186e0d452169

SHA1
5b135e8f1a4ea8c2e9778b1aa825e09d0aa8c76a

SHA256
e21cb4e36beb7e1574c9c4a8b705ed5f3d9a5816369a6ec2c3fb5e25747bab79

SHA512
3c619f8e477b7cf828cd85693ece5e4ba8d58eb41946aef866e366a77dfefda401a9e92a956f678644ee39f5ebb5f7a173acc93a9abf34848e3d8d40b9fb7059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
55055d500ca53f65042314f62729bca8

SHA1
a3be72a1f2c5b0d568a1e028a86d19354f685f56

SHA256
57f6dfed9c263dfd21a40f4e301b581fcd93fe38254501fe7c157eb54bfeadbb

SHA512
4c76fa57373bee36e535a25a2e83045ef007e4e5e141e881c0af3602303cb897c55339170385098137dcbf43610ec520efdc08575577a9069d7cec17ae194a7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
396441bce24fc4b05d92a4ca7830fe46

SHA1
650a1c873c72188f441089130eae82c5c3889c7b

SHA256
1fdb9d0383420dfeba27865b814cd777fa1a6e707d7df872651e5bcb3ba46170

SHA512
da977aecff6082f65fe21911e990a72d060dd37623ff5e84985a3c742123cbdb7640beec3547f2b44cd2bf3383fc550f670644e5e389cdf534c7cda8e24d1d17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
aaf6f5aa98dc4527a6c662de06dc0ac8

SHA1
e0d258b1fb534ed2197d0d3d3a4bc75b428abcf0

SHA256
64e5d942d9fb09906a0f96ceb5760a48b220974c329d26297be50503b4e857d4

SHA512
aa5bb502f8f01f4ff247f94ab5a33b6f28fa587228e8d371a03933fc9da5dd60e75b6386d5771205214cd4e1a254b591c22235d9b874dc99c7ef679daa45d19a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
5de48d6631bd71b8f4d00eab5219b7b3

SHA1
7b37b8c980f86165224c745174402b641371cf84

SHA256
645e792ebe56d685bedec813fa2c74ccf7576d30de2506b3beb6306f406aeb86

SHA512
dd1421fdfd5dd021a7f4a0dad10627468a6061f38f4029548e84f6da9dc3ef21ad43ff07599749d728fa4feb15d81cc7623ba6e186e873abba79ba979f7098b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
f11bd39e6e052062e873696c71f855ce

SHA1
e938b66ae223c360870bdc3ca9f434a5035778e2

SHA256
5f7a2457356499392327e806e1aa889757eafb12d181d6851fb3435e2b010356

SHA512
2d0ec533b977d9bd345632f266dffd33eaa4f67c78a1cff35e82edd781969477c60b04d11befd215a3ef4f086cabf96216ac200ddb58cd935e428fd12e2d00ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
27cb3c84748e60b74d2b6ee41a85bdef

SHA1
d834f63f4d640071b58a66695c417d21a1b19172

SHA256
8bfa2b95e7190403beed9964ddef29e5d0a3a66877fbbd6a1755cceee8a0a357

SHA512
7e4d7397cc2b347b22d2c5a7187b3b4792d1c74a4c04c1af83bf32003d72949989c33abfd65b497af7daa62aae889d5616c3d423ebe732b58ee1b2b0a5fd2b02

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b3c1da1f125dfa30dc8d43d2db4364b0

SHA1
5eafce159eb95fc972fba80171b78773b123752b

SHA256
7e76d58f7e1412a39388b3f1ede75bbe7ee233bdd7a37133e0430b18de2f8025

SHA512
1b57bc1c0be117315be64d8068d15c3cb6d4f1b0e9cd36ae6001065402a3c7c22efe876b1425291cf3e06eca4273e4e9476c87182ed63ec3cd1fc3bba695833b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
f5895db8b43fb351aea9ae5604bb59e6

SHA1
237d70c0e5f5e4d08e5df0d46a693f06cd72dd98

SHA256
2661a2bf0fb837b77943532f6a80421df7807dc11797f294908f4dfcc8c1592a

SHA512
f3cde0fca5acf39f4397c885e2ddfad24df4f5b2315963723192353464b1c3c5e9d7a59376a02b28d6f3c4f886254d009cdffa9009801b741f58753cccd69553

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
2fd445566c69e782f37467ffea9812e0

SHA1
63cbaaefaa83394756c5370885f3eb82c4b52b4c

SHA256
38df100a34ee904ffbee5dd078f91545ba504137b1705ba444f9f84e098e3717

SHA512
d672d039784ca6080859fd3c791d7b35945771ab4273a74a7810877385b884f8f27c212fd30f164bac0e9345d8695d57bcf5c77bf1eadcf3a38aaa89522ab579

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9d365d955c9ce98a900eacfeca99d428

SHA1
f8ad0350bc1528c3cd35e238ebc4e8351b345c19

SHA256
f2e5e9d938c4afce13aa83c20126f23e2a87a73ca8fdcf1b02935af8ed8a297b

SHA512
0ec433f12c9112e9d96d0c920448ed35a4eaaf4bbf96790df6929bcbe4773a3a1758226169bea5a891a05ec14997aeafd3f7b9c678be6da0ca49f902b1584e7c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
c31efc3de1e7e16f49a0f5333745ecf2

SHA1
a3ea5401933118179df46ad1c46ebe9cff61a38d

SHA256
613193338304c4ee23ba77bff99c2dc12b211c1d892d58291282a6e9b6d06a24

SHA512
7c3dfb18849d75acc45a2fecdba94af7ef904ff4e46b7d2cb8682eb17f4da0125199c2ca8368ba27e32b5a5ce34f35b2192605d83fd5c800312f2865152745c0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
77b9e5da50c3363148262fa86fd4e045

SHA1
8443751ca19e655dd5987744ddee493b5f51995a

SHA256
c450661ef65c030f6e7ed350dd2f2b5eb00047cf4c175c4374345bc1ab11834f

SHA512
6fc081c5339ece95469003f9f3798175f104ce2ca1a124face0a10fd2286260a4a449b891f87c57ad4dfae11e656b75f798aa21d5d9568e581a1663bda1d2379

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
9adf902e829e13d03a6b2c2fb8146752

SHA1
4c0d6fc648909f7d022dda6eaa07506a58de34e8

SHA256
09565151ab5091c96e53a3e31a09aa4162b6beac08c37dbb6d35a617316a61a9

SHA512
612ed8c42ad93b08e20b8011df2072e4c8578d9b14f37089ac1990bd9e23497b68d082763b3ad5310825696ef51bd8b7f77092aedf848bca28e6d76c5a1899fe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
cdf37ab2a3e167a2bb66daa86c089566

SHA1
4b7b761f7406d030f337063dfa7b99e905b62dbb

SHA256
452f53c25322b38598f40eb3ec06ec82844943c38f05aded880d135e2ad41093

SHA512
3f03eeb73d236c9466bd9635a7e3cab50eddc5f48ea0072997dc83dd355d34c4af8ed4c19e262592818c0e5d93141cf0d789b143d6969ea3c2249b72a3c76695

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
2e843db36d60234baf8192738a30d560

SHA1
735b334d23a1ac423eb91c4fd9918f478a2fd73f

SHA256
f6e841ea0b41afe0621576e577ec1e04cf6811e6222dd2457d3724bd478a7bfd

SHA512
a319f6d80da1588f7977887b0e69673abc763ffde09a960677c1112bd8475d8e6714bca8a6db58c8f13598744e9939009215c05d0e9021d94cb260df0895d5da

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
be5a3d501fe28b1f27011517eebf9f6a

SHA1
f0fbe18eda29c504b00dd18908da1503fbc914fe

SHA256
c2ed3b49521a005d69487d1269bc777ba50d82be79551d0549508449f7e555ae

SHA512
406aa33415dd06faaa3820713134fb8e66127a42d8f9ccd5240dd49a2835a7062499c4c792385c9d41e22dc66fefdf82f78c616f675659f287699af3c14d0445

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2b41096542cd69d2b8a5c815f4d4d57e

SHA1
3a7642c6004d062bf3a4a3e6030ef0def8461824

SHA256
59ebcb0a94afa6514395d3fd269ecddc9afa5e625ab8ef582cadf90560ff8bf4

SHA512
0238eddf384a4fd3bd6b6b3c2b7ba53c76d8945f058c0ce9142f915621d9672f4e44dcffe7e57d7f2ee07001b326dabf1e7dfc125b9db8ae3f385adef3c4c959

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b99b8c2ff610c194c49b796249791463

SHA1
e857f8c86b1895f5968c852a0ef61b90eeb84720

SHA256
102f5bf1a2d9691c3d5fd99f80e7ef8ef2318aa627b03d6b07db4fcc627676f4

SHA512
e0c39ffb8aceabfaa634b0a447a660f48ac79e1a185f9a77a12171d48a9e881e59b702b8a47a6b922f662bab809dbc6ff004dafcb753227fde330630ef4d3b0b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
3bc706e1ad1beea0c9a1563bbcd8336d

SHA1
18e8bc1f7d10391ee6e8f924a4a3f72b033d8035

SHA256
34cc7c71819de2441f6b4122687fe550b08c2aa5dd293dc8c424950df743adc2

SHA512
f84ca143c65b86756e6cebfbca0d748ab514243d5669c92e4dbc390b9c83a5218a89052f07badc5c9fa288070150ef2a9b008ef0da7dcc16984c0f8f09878592

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e45d2aee58f44b5138266dc32f7323d8

SHA1
23e90e4d5bf69491248b45abfa64044a43500f26

SHA256
d7753e117c02b2e362f2f5749f6838a844c34f933b603bc63d11dd416e155190

SHA512
a4fa201002ea6ae0c893d6a5dccc5261b56e9019a4759845a78da76a069dbecec8877b13177c7e4d0a0263a4e75ce44d20a53269c17cc042fc230c4525d84b10

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
3927282fe468385e8c811982e4975c2f

SHA1
4ba3cb2da81d1d04f445077d644054686592cced

SHA256
7f0abb5dd48b0760cd3feb4dc6a8eb0c155f4516becab1d39d234d97c36afd4e

SHA512
b4050e5b0f08839ee63faa3ac260d717f11530529030ec16cd53dedd1734230ded6567a018d52fc3c1d65c0a93265496281ad25487b9f1e61747c68ca18c5bb5

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b3688d76e3daac474d18c6bd399f78e4

SHA1
4f27bb70b231a5dcdc51cf39588badda3d542399

SHA256
310e00cb9305e9f14d8bc44ffb5d1b96c04ec99a8498123dc08d769a17040164

SHA512
eff77e0e6da1894c550d27e1117d89ad0fedbd1fe215398efdd91b751e152f229f0c17a3b302791be2dad6eab6d48ea7bc785b25ce19f5ae08424eb1d8341b63

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
84678472b9e19163f3095355e7c8acf3

SHA1
43775e26962be04fde745241b829396105fec703

SHA256
50a26965c6d1bda17f38c93d8f9376bf1bcdf4527b6f7fb908a635f30784eb9f

SHA512
c8b3dc9832c065beb61e8033b33bdf8008b6d28ceb6084b9b93c63bf15766dcdfacb8ec995e91c3bfca08f7d8f25067f14f294a8530b19a6ecd82ee7b92c4856

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2491906b6906804925e4fff8b2c92669

SHA1
82eb447f7acbefae87569b4f35ff5f0bd7083b3d

SHA256
ccb9f3de89b6974376a416cdfdcf3f09e1563acd7e24acc15dbb89e48926a089

SHA512
aad3956b1af70f6c169d62aa464558c25982b22c64db47481b3381e7314085f582997f44c576c05e0b6af59b86fff334b3e848620021f8ce62361efa52949c76

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
07ad892bef4dd6b06d97ed834c16bba4

SHA1
a1b3ed6ca1c3eeb83fc5db88f7ecc54298f1249a

SHA256
e6194fd545d1cd32d85bfbf79d47ed3362e39b343e4e7678d6ba42051b72c794

SHA512
8b2eeca1579ea30d65511b1b4d1fa0774665a6ca82ab847ef56126a1b7798366ccf0e5956906915d27cb27c291775aae48aab40502ed74b455ef31cff02859fe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
186ea8528c87ba67a0b994f8980f3e4b

SHA1
f6245b7fbdbb478c64bb1257e89c2f3151628a1f

SHA256
36dc85c212c51f1c83ff5fd68a307e7bcf3bcc9adb7dfb1eacccb91a857c3b1c

SHA512
3dfa4d041ab206eadb9b6ac8f56f79e0903b535ab894898b91c1fbd69eab501b75cfb8f6a9ff6ae5a25db7a8010cbac48a79636d5a8ce695b582a5d77600f96f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e92a2652c229be5ff46c9b6ca2db98f8

SHA1
5a878dd09ac80a3c4b5d7fc27d6edf1d9d85d182

SHA256
40c464c62d297cda818e5271f133c08bb33157f02399b711a853576fb3184066

SHA512
dab3baeb521a9e5ee0a356330132d24b09eff47625433f6c88384738526c8ce783e62996d26e970b62235322def6d9600d07cebb1a7cd0bf0d7cd0f2f8222263

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
756e377e10987db7a48cac71cfbc7537

SHA1
7c93857f42a5e65ceeca117f57a002482e1da03e

SHA256
8f17f5166e2232ac86de97ecb0e1dea8cab58352c4d94aa7c79499c326b994c7

SHA512
86f5f0ebd0c3effaf2f0bdaddb6dc7197fbf8875a7d5ccc5e19b6bdb1f1f838971bb35fafd7f398f5009c2df02846093c5d22fc57cf4deb0f0efcd03ad176d21

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
bb005dafc2738a69d678d1b16f7c58b7

SHA1
5fedf1080a378b4db9dd2ab3bbd8e0634b6760aa

SHA256
20406aae51b33b61c8a24105e36381661849143e2b509309e89f4d6633982129

SHA512
581d1f674f4c92778bb7f868f4e8960186476207dedb9cbe68d4a1b532c9d8d3089c8bf0363a6e4a1d1d1ec204145c08629613ee79a39cd32ac96469653e5689

Download Submit
memory/1080-226-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1080-108-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1156-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1156-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1156-48-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1156-40-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1156-49-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/1248-208-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1248-538-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1904-641-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1904-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2000-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2000-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2000-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2000-73-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2160-36-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2160-130-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2160-27-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2160-28-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2424-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2424-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2424-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2424-92-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2780-262-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2780-141-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3232-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3232-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3252-658-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3252-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3324-211-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3324-94-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3324-93-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3456-131-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3456-250-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3488-197-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3488-521-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3684-657-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3684-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3972-263-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3972-659-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3996-119-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3996-238-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4268-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4268-660-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4412-84-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/4412-90-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4412-88-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/4412-78-0x0000000001F50000-0x0000000001FB0000-memory.dmp

Filesize
384KB

Download
memory/4412-77-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4472-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4472-656-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-387-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4644-172-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4824-54-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4824-175-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4824-61-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4824-55-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4920-460-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/4920-1-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4920-9-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4920-462-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/4920-76-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/4920-0-0x0000000010000000-0x0000000010187000-memory.dmp

Filesize
1.5MB

Download
memory/5000-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5000-439-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download