66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44eb

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 04:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
Size

1.2MB
MD5

c9c49ff4c221f4783874243c13c06e00
SHA1

dece1890b91ddc56e88567b7b420afd587c13031
SHA256

66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44eb
SHA512

7536777471edd0b60856911b3b7a2f9e3a0cac75233dc63d50416257681e38ef62ccfea8d6fb800e7ae494abb23380ffb8191d7d6c966e9a849484c6662d9e00
SSDEEP

12288:Ucz2DWULMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:Hz2DWLSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4232	alg.exe
4784	DiagnosticsHub.StandardCollector.Service.exe
2076	fxssvc.exe
4340	elevation_service.exe
3280	elevation_service.exe
5092	maintenanceservice.exe
1104	msdtc.exe
4000	OSE.EXE
4928	PerceptionSimulationService.exe
4484	perfhost.exe
1688	locator.exe
2524	SensorDataService.exe
1084	snmptrap.exe
64	spectrum.exe
4440	ssh-agent.exe
2772	TieringEngineService.exe
4756	AgentService.exe
4608	vds.exe
1876	vssvc.exe
216	wbengine.exe
764	WmiApSrv.exe
712	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\dllhost.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\System32\msdtc.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\msiexec.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\wbengine.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\System32\vds.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d2f2ba7d99262766.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\AgentService.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\vssvc.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aa4c2163f01ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a3bef62f01ddb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd9a2f63f01ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001f2c4464f01ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072f67265f01ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4784	DiagnosticsHub.StandardCollector.Service.exe
4784	DiagnosticsHub.StandardCollector.Service.exe
4784	DiagnosticsHub.StandardCollector.Service.exe
4784	DiagnosticsHub.StandardCollector.Service.exe
4784	DiagnosticsHub.StandardCollector.Service.exe
4784	DiagnosticsHub.StandardCollector.Service.exe
4784	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4308	66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
Token: SeAuditPrivilege	2076	fxssvc.exe
Token: SeRestorePrivilege	2772	TieringEngineService.exe
Token: SeManageVolumePrivilege	2772	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4756	AgentService.exe
Token: SeBackupPrivilege	1876	vssvc.exe
Token: SeRestorePrivilege	1876	vssvc.exe
Token: SeAuditPrivilege	1876	vssvc.exe
Token: SeBackupPrivilege	216	wbengine.exe
Token: SeRestorePrivilege	216	wbengine.exe
Token: SeSecurityPrivilege	216	wbengine.exe
Token: 33	712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	712	SearchIndexer.exe
Token: SeDebugPrivilege	4232	alg.exe
Token: SeDebugPrivilege	4232	alg.exe
Token: SeDebugPrivilege	4232	alg.exe
Token: SeDebugPrivilege	4784	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 1064	712	SearchIndexer.exe	112
PID 712 wrote to memory of 1064	712	SearchIndexer.exe	112
PID 712 wrote to memory of 4748	712	SearchIndexer.exe	113
PID 712 wrote to memory of 4748	712	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe
"C:\Users\Admin\AppData\Local\Temp\66ae6b78a37dd015e8c1ca946601037be09d61fa7de04ddf06e8d4a223bf44ebN.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4884

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3280

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4928

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4484

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1688

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2524

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:64

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1988

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2772

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1876

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:764

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1064
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d6a383d46ca9cca66af2c7efdef10908

SHA1
4ce766cb9f1ff46b0049914facdb699cde9373bb

SHA256
caca9f387cbe763db43ce69a17405cb09eb7f074ba18ab6a438a90fb67caf58b

SHA512
a5310b248f1ffcb720d4a35a7572a0bd0bca813d6d1f03a54a090f3841421b273bbe5478581bab313d67504ba4bbfc1d9f9021e8ea5fe2335a4f226a3c86f5f0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a795fffc352ff62a78a6c03471d6a1f1

SHA1
0db73454d76024f36a6f948de8cc48c6360c4982

SHA256
3989f8eb1a77a4e4caf647956d3329f9e83949977e61059e6e0621677b51692d

SHA512
95191d7cfd0bd880b71bf0f44024b47bbc7611a52f9a020b0bbbd994bf0b5c6fa57c1a9c265f719347285d5838ed703ec310eb2796f50e030c44a8594d568b5f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
84eae3033eeb81f6d951e6f52fe79747

SHA1
bbec07b3936400cf66e17717373693cc81007a5f

SHA256
e356a1f55b54169a750fd130941cf500659239bb74e0ab807afb3aaf0e35f676

SHA512
d398dde60730a7528feec8c576466995e6671ea5e94c04c9b900c854b40f6c12d9ee727a11b5d019b6410aa146730920011931404c4569ccbe42f34a72cd1b23

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7ab9ae3559876a2d1a9bc47eda240366

SHA1
15a8099db6247d410652a889750cead0a4a5df3d

SHA256
d1fd9d38b40193c2c984ffbc96a96716b9edb632685f069d8e596349415eb7ce

SHA512
d9115bd334a1aa919f514cd1a7487c45ed4b98983ac0f77c3e98fc73ebeddadfe1650dcd17e9b330d2e01552d6e49dbfe3c81a3d5bc3ec8132979fb90cd3b55b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
53d0f78abb53e005086947970bfbf47e

SHA1
082ab7c3a9a9f1d678deae908e3647bf6dca3688

SHA256
df6e453e4647f666c1ea3fe82d9f2f76e720fcd54b136c45c6ce29653f68139e

SHA512
8ea1b5c01c013e4259f60cc2dad44f2ca442d802ff0e6e31ca04d64698e7a0b338991dfca259263f03e479c70f3fb07b30054caecf925e15cd075f350c68643b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8a4de5318115efd668838d54ec703b88

SHA1
fc00b49b8e54a3fe24ebcaa9602b868c14588fbd

SHA256
be9f2498fa83760376f4207d2f3b42eebe63c6e13b2f59a1a65fbcdc3eeaf772

SHA512
f579ede41e93774e1d080563f54adc4344c7ad470b3693e53c91ef657ae27d047314514402fcae87f27a10f264fab18cdd8f7c3945de413b88457eb1515a981a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
aa789760b3d2390dba7e41d996d9cbc9

SHA1
9d8dbee96f6c7d590a8583a4edab785afe68873a

SHA256
53b96b15ef81fafc49cc654c3cab2e12834ed55fb500be777513d74008d3e771

SHA512
f8bfcf46da703d18a89a1efd82f2a4464ad226b0ffa72f8f96459a7dad872450753f732ec44588a7db9fe19b0ff2c81710e32dd899dec3677d2bcaecef31baca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d27237c8486a9f90fb33f221692d20de

SHA1
49efc89f79e46db37f0a39efee741077f05d4b1b

SHA256
b2bac2d13f62e78650169515e58ce15c690155d97103544490b741a5e12bdf0c

SHA512
3e191acd810cd4e3eb4659f85df2925b47d13343571a94095ee37d630669ec6e2e9fb5720d35338993e7a86899ea3122a2bb5d0dc502578da43f2084a57e0647

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2876e3d01ad0a9a8ea04eb588c07ec87

SHA1
9f8a537e51ff911e9e217cb90108fc265a908e84

SHA256
d9003bd4738b516e574d93368ac7037449505bb47f86fe410abbb0c1be447af3

SHA512
ce6850d2ac99b1c11dec0c4288fbc56b293b7bcb7729782613f3aa4f6e4af451cdc080fbc2854a2b704ac15516fc585a55c99ce7297ec505277b6e7101ae2023

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
98f5131c2082b5c20dc2509f74d4cac0

SHA1
0b95fb86b8b19f830b4beb9a04941bfd4ff6649c

SHA256
8d7d231ed06c9a28bf511aa2afcfde13b178dd42a893f3b342c87fe8b80696a2

SHA512
901c55a571c11ce3671e599969261ae61ba34d3eb00f33a08f4b82c52aeef6f0eee3a476a8854fb695db4b06f4daee741f9ff10e5de2ab19bebf4b8fe48ca502

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a5ac2032449a239c8afde789b5c35104

SHA1
9aba1baa36c477e4da90dc9e1ef275f00d631c3b

SHA256
3e7c7147ff9dba443560bd2b0d437b586eecc246653915823d95e7c0129f678e

SHA512
986c064c6687e10f5f633a2d4ad3bef594b7a196a7e0bf4b65a1191ac6216d949da4fc86b61d434e4e4e4e167a4028deb31d106e2b9f23387e6cdcddb94e042b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e7a5660c2ecd98cb264905f8b30ada57

SHA1
31f7cf89a7e9a0b07d6fd8456e507b7d0e2c0906

SHA256
47fea6beaa76acbc4d91a606860fbae9b49e9d9248c783079ba3f623a3437678

SHA512
43576f01d8ee71256c7e053ba101e3b66746d9d69e1432570457dbfe9686d7ed1bd652cc13cbeda4737d6c1ffd390e7953d513ada486b22b2dc026bd2b9157fa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dadefc7ec165171b11f41d1dd1fda32a

SHA1
ccd2684d0e3360b997a6c73662bbbaae7b8d5f7e

SHA256
4cd894cdfc0d3632f6d019b5a0769aaa279b0f390fa90a35f978a347d73878fe

SHA512
cce67c28c2ca1ae9844d963a8ed82b3401d7f648d21b008ac00e93159858bbeba9615f57b101ddbdc6c16df1538aff6de24184c47942e3816ae10eb743d7f31a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
bfc17f20adae8a4d07352e509b74ff45

SHA1
a47485587d15e7a0dae51d88cde83c0eead0ef88

SHA256
73dbe8c2a45c50aa4f6d2867ccf39861c1106089bda706c7bdb2b357d55e9507

SHA512
69ba12c711fdfdc324ca4726ca80de61d22ecfe9ce06128d525bf104d68057942b833961af1355b54f206df9cea2b58ef4274076b0a830231bc9c36540004b6f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
df5363bc7adad7138f50df2f2fb54469

SHA1
ac020c2e54afec49744010c1999ea00bc5b6b796

SHA256
61578f7abbbfd355c08bc7b865cd743f12b0d810bd7e460cf3b0da17efdc74d3

SHA512
9db542433013d1ff68c9859b360d905ea89b1ae4a182062bab92ef44072e67b0ca950ef57fca2dda0a203c26c76586615233193b488455cdaa18eb8386a1754d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
1c90714b091d39de170ab3cd2646fbd6

SHA1
b5192f2c31bb769392dcec9e6628596e6961618d

SHA256
88e0758f67500f841dd16ff4fe3f06889b3690c8906fd472b50dac7ca15a4b95

SHA512
2f43e510244c7d6d6b942cf0379d573650dd2bbebcdcdb307e4e90a825346561c3dcedbda41ced3ff7f99638d6f8176d1251e85e9b0065ea81d160ab443c1c61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3e1c0cf708f51312185d0e8123d5277d

SHA1
d7e6c79f2521b4ce28c34b5d2bb98f7933f5c51e

SHA256
2e027918e15e4e611959d5aaedafb31f15adf4e338a0298a8737edc2c2cca627

SHA512
27c6f8823811260c1db35acbea30ee82fa166ae23df29a8e555d7f3ebeb5d2075b3afe5f0d254f7549a763c45ce8933b23d79c6188bd1d99337ce3ee64b3c711

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
ac398504a22f45d0e8c8dcb1ded7dd15

SHA1
6cac5ef38fdb76541e55df3c77ef883a2a6c371e

SHA256
301af58ac6ab4a723762515c9e225bbc18ceefd1164ffd61f7603b50becdb2dc

SHA512
c7ac374721257919ce664cf70599dcb46e0c83c6bfca958af4fa1c04b7aada62b62ebe0fc643ef2339e36a891f49c5ea3ba376bb8a0eeb62587be8184fa6a45e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ef367fdf813ade881306f3889c640415

SHA1
1c95e249b0bb0f513a507a94a7dac6af1579ab89

SHA256
4bcadc4f13686f432233e4ab664d1d7a27364378f43244c0ca207501944c4a15

SHA512
068955775752d3d92b606651b9851f80ec1d853824bcec8ae528fe24502ff5cdaeb08399e8ef3130876396d9ab8ff4eddc1dc796f2f47b73e2fa4a622526c7b2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
d4679fb9276930dae31b5610479d4da5

SHA1
0fed1c101b34f3b20d5f2ce5dbe89e54937b589f

SHA256
220e1f0d0a0f5331e4c23aabe623aef74c9a9c385a42ed8915b55fb9b5920923

SHA512
8be9dd4e590e87b4a4b10f5c04b75adeb910860859cb78c5b621da8554c52f4ae4cfd0950c22f9129e3ce56c0d0ac1c1697a8e58d17a84e8ff8452666115a92f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
928a7b9885035d9f8e1a22030bacfa4f

SHA1
74fb0ccfb4c1f8474df78e6b91395501473a2d77

SHA256
09d7fd9cb60873293544d1a4414117daca6634051b40b0e1ecfc9bf717f1e4bd

SHA512
e8d6128454cf80fe845637fdafc9471f2fcd231840a4c5fb961e3deb2e9bba5c3be4f1245cf75a04badf59670bf3c678a363a23cb6c242799c7e0bc5e8bf56f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
61d52d4920e42541f8c542518823420c

SHA1
1e3369b585f488b3f0cdb64010613bb1041ba88a

SHA256
e42ad5b4d596957a44eefb69b80ff894eecd2e239388441d3ea5b10531775533

SHA512
429887a149b332c7973cef4f6ddfbc51f89f58b7d3d46bd4ff30f4de504b5caf18dedcf0eb8fac9bd38addd64df102c93abb76ccec72469a321adaa716436214

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
d5bdd63a7569ed005fc27e7660d0adfc

SHA1
d0485778c1fb5af64738b79eb6f8e99b63d008dc

SHA256
d19cc6346a9948b7aa69ce331c5c709cfa1ed9aa228a61b4c35ae7b10e1f4535

SHA512
633154ed5596550b9ddbf2453f838e65c8eb073104bf877558416887e3f13665c68f2053ff3be0eed41cb5d56eefbc0ba052fd4ab2a7df45a6a2d84362571963

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
5b2e0489a4e1e63cf734bd31e80b1282

SHA1
1b2e774cf309741aa18c0bf7b66869aa48dca256

SHA256
b5702bf5e8de4b1b8a4c0bd847f6da3ac24d851070fea3580f560c4fe3e58776

SHA512
aa161430e090e583e13c0344e9839561dfea3d806e5fc09df490391053efe4fd16f31f2f1d1e590afb578e20e44b6b94b7420926ba2e56bbb4a886c53ba7a46e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
ee2b27bf2037fe14071e9ae6c032d311

SHA1
c21b6b03902f76b7774d1f4c7be6a3e9ffbdcd53

SHA256
be76eab6320952046267e9f09a2a85977faaf6bd090935db31268bc58fa93158

SHA512
1dc1813086bc6105924b15b38bd44dcc02954e9d5393f50a52845b4a9844635e1838f43c29efaccbed4a60e9d039e4e963ed02f5ba4c6038917314791e79bd99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e25cabcb3343944712939fb8d6d710e2

SHA1
77c81783bb43d9f762c8d5687acc4a6456929ab1

SHA256
fa7110b16536dcc4eee0874a0b042da8ed1c027f23526646563b56af4cace439

SHA512
ee73257e6fa052ef2518da4c468900160b21a6d0cc7eb32258b93c189a08783ce0d74db09ee8f21e769622862163ed1decc51176178498149eb2e70c4b0d92c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
0607c56ecd28c68e577ff7d6f2315aa4

SHA1
79de80daa248a8705da090ce970f7f61cccdd6c1

SHA256
6774ee3e8fc4b36b06289f22ca4b1f9b62b8369700b8ba6a17a3963123db506a

SHA512
7c6978f686de726919cbacd92f3cc5c4fbb95c7d536073184050bcaf27cad3b7946d9e62426797db9ca52473223e211f9e47fb86110594b876d8586f198495b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
a4c6159550fd3890391aeb6ed936990b

SHA1
f082d3dc3079c59618179a6d80f18ec68baa5bad

SHA256
cb731c678ecbe10181472d151f076fc521becae06fece7429f366c3b4cb0b495

SHA512
6d6e6b3ce22ddc9416f581386d92d7bea1e92e24ff620229d516b33260e4c359ea4a9ff71e5c33c322e5e712f17ebb60ba4a0356a5e5ae282ec762be412efda7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
1d5f8ecaac0ee04f4a41cbfa8d19bca4

SHA1
a9d839d154a338513a3f160c7ad84020e1ea0070

SHA256
f7ac11bddb4a86fbc2c92adfcb823d97d16ad452c15f90213ced2b1b1820739f

SHA512
b36853b54c0aabcd8905c4c8e53511f81a0224fbeb0a0a303f3e185f9caf26f1df4c5fc8f88303dbbc113afaf012264e316e20ff69b353468bfd5630dba82e60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
126a30fc76a5e7c21da4bd9e66b56b9d

SHA1
f17ef819f13586ff2612f33f81951ad799833e68

SHA256
06a7b34c708e51ca5f92b097b6136a75b2ed1159fbffeef48b93fcca1570e788

SHA512
27e2cbb88183f928310fc11f406e7ba6768c115128aa41e40525b3651f8bde45ad46fc59f320cef4f3f7d2f079eb7b91a270478300ac8acea2e33aa8721063e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
796582b5ee0cf562236de64d9882487a

SHA1
c6bcd8103a87de4353bc416942cab2970b4e7bc3

SHA256
bd72d53197c1cef02ed5d3b2c2bba098111fe85b5eb39158a9d13ec80dfb05e1

SHA512
838c0db754772585972faf50d35af4b69b7abfb56cf4b22bd7333c132322f3b945d9fca5231b890ba0bd60bb4a09c57b078cfdd501d24533636d4b3e6d3714c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8d65f49b79d82992295b06d7b399ec4d

SHA1
37f6f57c29b560dd3375664cd18dbb49f8f96821

SHA256
74d498f85397c29b890bfca0595fc97e619e7c18ae1b00cabd33e5d5024a617f

SHA512
111d75d5c97b9c169918d31efc692ac5cf4e652cbad1dd905751e385865ccae0ddc6b97b6e9381cf004e06c4e9992dfceb2e3b4f87fac447ddc87448418bc4ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
c5df2f28bd4a95e015a62aa55f7d7d2c

SHA1
7b69395bd89546f3ac52710fd749e3bf2783e8b6

SHA256
c0694c35f9302b6b3212e50747bd93d9a2f311767e787f26105ca82e2afaf43b

SHA512
75f96d7d73db268bc29b4b24a5020c257fce304101ab26953c106a8cf45b7006f5248aee4a1e9d4b95fb606941502267ec565787bb861778f34a13c8a8813fe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
192bb9e7aac567fc49d5edfb9acd2a5c

SHA1
ac830e074ee538171f68b940374af10a9fec7a64

SHA256
8df848cf9ad2a089dc21fc1b03cd75582b3a90ff929372a91ccca041db0951bf

SHA512
4bc38066e0974ec670a5f76c02264177c868a7d980456bc7e5a39fcfb464bcffdc632e4a61bc0489c2851c2a8b895417018d536b0dcd782fa1b688bed4114b25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
923da33d28b21837c08d5bb0cfdc8da5

SHA1
532b021249a353760ebbda74932e7c7253c6d284

SHA256
ca517ad74034c545a340ae60dd03ff7221c84d35eb335d7fae4def0541a02a20

SHA512
06c344ee2735125332b36f19481e4835fc5fd19b409e83d5ece207fe8da066dc1ccc96a96381f91f0b3bf5791b0c28cb51e7ec587893ddaab86e04fc273ec3f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
6962574b067e8b566a06f9d282cf05d2

SHA1
c38c55bb50d8dab6431fbf4de8d758f46850438e

SHA256
35a965320753a223bc6736a01eb877e6b19daf457e516b6361ec4a16170ec947

SHA512
d8d6179d33383b4167f55ea1152e04b94fa0cbaaa6000eb6ad06a651ddcad83273fee5492d3ee91bf8c1afbb44e07498c1e45d20b5e0e97e233254e957c1601c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
322c2a65ef20a6ca371ca2ad3f9891c3

SHA1
e36a14cc24b618570d4d8f055116a702ac7cca70

SHA256
c4f3fee08c1e6def3f9873d4f1666a1b5f4479672fcac9bd1a0af015025a7e9d

SHA512
0bff7ad5b86a4a342b3ac7b2da5ba4d4e6d1fc5a53918e8d0902ad77c65d0b50742ec5c3a8759962ddd3245741b7c8d7bdac0342a39c4fed0c95ef4299db0392

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
58389370f972e63e7a4691069a59017e

SHA1
dce48cf6c026e07990208877289814657a1fb60c

SHA256
106ce45f6569a24330576cebbe466b5fb5f5c0a931339562d603d50b2ee1a306

SHA512
73a5795a11d2f5d938ae70448c4c85bea29afd91d8e29641bf94265092a2ba9a0db3882d5138e06ede81dce32b39376cda925b6bcd8e351d187fead6225bbb47

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6b4b4979f29bb26240afdea0b15d4f9d

SHA1
4c89030d001291a2305625e1410471c01ae7f2cb

SHA256
3dbd2ace451588d6fa02f21c38d56d24c4bc614ec537f5711d71a9feceadd3b9

SHA512
e377512a198849ae6b9744cb40696d8aa093b32cc923efbade4ec012ea08c2354a7c813eed8a25790c035042e503c12ecd877eb74de8d951ab8c6dce129965c2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7c8e64fbef9d3a19a2c6b6561354008d

SHA1
79bc44e7feba8890fc000ad6ea5cf3dfb2487fd6

SHA256
af566b45d723de535bfee973dadf40855a39dfb8603d70eb4dd6bcd72f23f617

SHA512
580aa1cb9f430e3746cd82737163ed102564cddb24d878e2e4879578db41b4ab01265635502166118164586f0b15c03b34f85ebd62ccbc8b6ba85dd92b11198f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
66e2ce168a5e1314b2db5115074d6413

SHA1
96085f2e7476a48cc22ad18d5805b9c89c833f5d

SHA256
7ea3367d50fb3158973a022cb6d25d2fe8bb96c9d2f21f4fe83e14e7a35b4247

SHA512
48c05dbacb8072964daea23073703986e34f446e0a83e1bdacbbcc8738e0d8da878aa7e5a784208d79f213e50d884d816f13f18b01479d28dd725abfc4668158

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
b2bfe22cc91000ee30c1d23e0e0bea46

SHA1
daf70747688816f41c2c01ee088db7e59e87a80c

SHA256
5d9acd8098aa14f9214241258acb8c670fedfcbd0149be7c739077adb2a154d9

SHA512
686d15b6d93391e89986c49b7b5c059a567ec387beb90526d19cd8a888bc75f5c0d680ca5838f955b0ee794c0bb90b25c837ffef353c8ebfa97185847ed3eb20

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a7fc9c2547100ce6c63ef446e1b14da4

SHA1
06116cbbacf456a052aac24ff64b73a98fb81656

SHA256
3d4731790e8a7f5de17839f2bbb682ee0933e37723e6bb3d1c8a139d2f6a5726

SHA512
d4a7df8d5db30a2fb5cd4b8de23ded1d71b4604afa3c6a64e378d8c101df2271a2ecddde9081cf406588ed3cdad9435537f0fba67fea7fdefdab377041ea4e30

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d3f642e2119db749817345b38ec30951

SHA1
896d965f18b4703cbbd25c9e9fd064395b7eb0e3

SHA256
83aa92882ca708bcfd37fbfd735b1e46930f8261e4ef8783b29a7a92bea8a40d

SHA512
e42d62298048844b27b72b3f77b5b426f811f6c0a08dc6be4eda5be2c89e30574a8a93ce31ee248235d403b9b46742a506dd85a59d61c51a5903b46493ca1698

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
515503ba4604fd5152896a46625a2efd

SHA1
c59a0bac9fe1d7696a4b262716ae2a18363ab367

SHA256
a8bd66fd2ed551d6c4468ca72b108a8c8bb56145eaf11d7a29bd69ad44cf2026

SHA512
6eaf14fb1bd0b34bb9d2d8d664be97b0a47809feafe1e5e39bd8ef8ebf6edc5d5c81873f062c89db70e9ced033a0796d74f95836a0d97ab1d5354ce545e59d65

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
fa13abd61d19f5aaf6ae9defaa4751e8

SHA1
b9c75045163aef5db20c491e056c276aa66241b3

SHA256
d52740d866fad6c89cc47fdd992b52dd027c48e9d0386269abdf75847771100d

SHA512
35abf6a18501adf699a0a312b360133c4433a3d94d808ce3b5f2998107155a84cbb629395919e774bb009507fc4dad01f85132feae28a86ef6b3d1f77dcb9c45

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
200998e94feab03ab063d6f82d30fc1c

SHA1
08f84c420d7e9a129fed4314702425a4f4475fde

SHA256
d665607c997f39b4a4a03052d8b6eee6002da82f7ad96360ef74efa006031558

SHA512
cd9c2bdeaaee3ab369e155c37be25ce61bd3e76a0bb71a4334a8589d242a11df23ebd806ee2cb39373565e864755ebb71043b69638c13aa6fed4665e5bf6a05b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
15d078ccb575bc985f3b5b90f384daa4

SHA1
c884ea480c4a7c6026aa59b630cfd8331837cb26

SHA256
30e4493683339b2958ca7891f7c8bf043ab07c58520d9709cde182f14c78bac3

SHA512
d4fdb3da0a9d271424237a3afda7b709d0db9e06ce3aba41632d575c3249e32322df65193c8ac99b489011f7155d21277a65463a254ce9dfa492c08bb086b92d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e3805e609b9676287c9073400668988f

SHA1
b946b1f6b8079fe74d0d350666a5568472dd1466

SHA256
db8623d459695170cbbc65c4f496f4dea953f37d4e944236b356ed18991eb204

SHA512
0b4f28770c251f4292c2c5fc88c1755637a8986f1b57cde53183db4df9e028e7672a70ec9ca4b78a45a6df9c99a160aa787b2eb0617c7b2db0a986df7f817a31

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f8bbef73a57911aa9580f9c69bc0798b

SHA1
bbc3368690f3d2e0dc7f68db0f8d6bf80e4d239d

SHA256
6210bff5bdf2b9b40dda54b7310373aa3ff6c513b8e2c314d73919224b4271e9

SHA512
a64f3a0714be552b94ae81db92426a5b498d24ae3a001f56e2d8774bada9c368041e45cf046b7462faacf058454d7412c9861e6d2471c5233bf526f9768c4f9e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c30aab682205ed3a51996ea1f42d9b88

SHA1
1718ee3d0c95834313093408a9ef08f35ad11120

SHA256
69633283a3c7cc3342cf87373c4f7efdb34082666331ad7935281c535fdb7d8a

SHA512
665c88b997283a6a72f217cdc47aa5493da6b7a162719cea2d41da378b1b4e4a8c09322013b85960cba3308373d2bb10bf1403583412c873c91f99794ad60f19

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
43dde8a740a8fa2ccab5b84250618d3c

SHA1
8ccf93559c27ffcdbb78412ba9c6a8e6b4b00a3b

SHA256
5d38e62fe89fd70f1bf3f340871c8909ad5c257c8ada68d5e5874fed2a36f7c2

SHA512
2a1a26c3af16638128c210a82c1f02dcd563f0697b07958832ba3154fa26fa646153e310bd904bad964bf879cc8f99f30bb32a367f398a86fa757383c28d9606

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d12d31c31f90b061c280fed9483de47d

SHA1
254d36812bd9241341732982c19ceb0bf560e5fe

SHA256
0cd9d674ea946a35f6894d28db086e45e4020ce15c1dea541c55830990053b46

SHA512
0557224aeabe6271b0d01e0c92df9315ad781c1be7e344341ec4856afac8128fb594283d7e191ec11216f9a83457701387a97b1293f3bcef4006fcc4272abb88

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
197610e418dd7ed39ac662bc2b73b971

SHA1
34fcbe67ee053e2b9503c48b456911cbc5750d7e

SHA256
6a7d58b8722091839b415058fa4d3d36af2d34edf73553cc8c04ed72f04400cf

SHA512
d167a76574bfa05ae3fb2ee67435d2ac6c13cb43dbccfcb5046eaddf5b0063c920635be2b857fdc3fe6ad6206282f0b2faebaf2b44126d128f320fad74aa19e7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cec9fef60543f47de1e3209f62a9d007

SHA1
95b3d77d90e8e9aa45c0c2108f3f3e529a2eb883

SHA256
27ae074b797c0b4d237d4fa328e60c13d9ec9e532dcb75c9ebe1f0530b6c40a1

SHA512
866a941d7f94d264e7bb57f89d68a69e63ebd40e55fc1b4ec030612c9bb280b4690a76109aebf4a3027cf55fcdaf6af6c7d9de5ca78c0a69d771bb0431f93d63

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
fdda586618a575a1cd926daba342fa20

SHA1
a0f06f42b891fb2336ae61d85f27cdb22838a71e

SHA256
e3c170b98eab5849702d938eb91d753003a00126e85d6aa858a5fd088d169fe4

SHA512
ff89f61310760b1fe4b22cb451469c8b873648a27080c691d35de79e62d5f2214a9cc4d7009cc19d778283fe99d565831210e629d14ec4afdf9c19560bcf438e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1ef968b0e317863bb7f3ebecdc3c447d

SHA1
562a068af33d934b7ce89f8a77b6abdb4343377b

SHA256
fec60ac0bb2d11c5a448c68e019da000623d44ce2c7e5ff4a506b117e10930aa

SHA512
50df0ba474f15ba3be7ff2b4114d6b6365cc428bbf88bf857d8aa3f051ff7cceaa6fabcf26ef603c43a7916e83bde8c5ded398ce73c56308d8d8b25c8b2c6fec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3d51510456092cd3c78b67ae1e83ddd6

SHA1
f236cb0aea68d75b4ee940ab0c49261a77d52634

SHA256
a34efcae6fb504e068ddce5bf2615f21fb51eda56c67197d588da2adbebaca49

SHA512
8e56fdc210c10d6e8c8e5b3cfd7e9770b5ac923a5d30f5b08e03d6410da8b6db8c7e2574c452b9f798bf3f22d9d25f5981364e102825d3d50d1e2d56271008a5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
2164eb760b7323fbc8682a778e2457e0

SHA1
491f391adcf5f36c2d10aa99ebf70ca63495b429

SHA256
09a7c14d67fa3b874b7ebc5c739890b1ae92a70249926cde9fdc7c7730324742

SHA512
fab4bd8b3ff6f8733fbb8724067dee8ddbcaacb2b660a7bf557bb4fe414827e99e0d7c8624b1c72b856a56038271cc1b6c010e3d7921263546a19510822899f4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
a3f7ff751310fc5f38d37675ba2660f1

SHA1
3d2b02f2091820ec97d27f1a76ecd12f5bfa62e1

SHA256
3523d8c307085e6a35c79d4b7472ccfe1e5665e934f2d02877a541d159cf60ed

SHA512
eea5df57655ca8c5ebb72fa8a053cbe3475751d55575778178dae25de3f4fa917cc28caf8a748355a35aae3770f6bf237f634cabbcd8cebbe9c0d8c03d8510d7

Download Submit
memory/64-442-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/64-182-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/216-640-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/216-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/712-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/712-643-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/764-641-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/764-261-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/1084-379-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1084-162-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1104-92-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1104-91-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1104-209-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1688-139-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1688-260-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1876-639-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1876-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2076-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2076-38-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2076-59-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2076-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2076-48-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2524-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2524-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2524-638-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2772-206-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2772-536-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3280-192-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3280-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3280-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3280-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4000-224-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4000-113-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4232-13-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4232-22-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4232-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4232-103-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4308-463-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/4308-464-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/4308-9-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/4308-0-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/4308-2-0x00000000021E0000-0x0000000002240000-memory.dmp

Filesize
384KB

Download
memory/4308-75-0x0000000010000000-0x000000001013E000-memory.dmp

Filesize
1.2MB

Download
memory/4340-56-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4340-50-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/4340-173-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4340-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4440-195-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4440-510-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4484-129-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4484-248-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4608-571-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4608-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4756-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4756-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4784-33-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4784-36-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4784-27-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4928-126-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4928-236-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/5092-87-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5092-76-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5092-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5092-77-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5092-89-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download