76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
141s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
Size

1.2MB
MD5

119632982d43f1c5e4a889275df9040c
SHA1

106ad6d04c126be84e1f07adb8553bb3c087681c
SHA256

467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca
SHA512

a05f11fffaf78da5b7dcf69fdd657e683d37151be711830ee143a0c4d6db97c11bc3066069c1d924540dd830edb5ba7eb786eadf7f163403b6fa7f2b93ff62f0
SSDEEP

12288:DJaXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:VasqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1700	alg.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3760	fxssvc.exe
852	elevation_service.exe
876	elevation_service.exe
4828	maintenanceservice.exe
2852	msdtc.exe
3272	OSE.EXE
3236	PerceptionSimulationService.exe
516	perfhost.exe
4080	locator.exe
2856	SensorDataService.exe
1940	snmptrap.exe
2224	spectrum.exe
2172	ssh-agent.exe
1568	TieringEngineService.exe
3968	AgentService.exe
2632	vds.exe
1108	vssvc.exe
3616	wbengine.exe
2008	WmiApSrv.exe
2440	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\vssvc.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\locator.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\msiexec.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\AgentService.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\System32\vds.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\70ddd117cad6a2b9.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\spectrum.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\wbengine.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_78984\javaws.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1fc63a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e1a44a46055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037913aa46055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a0550a46055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000036fc82a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eccb35a46055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000018ad74a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000761fc8a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5112	467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
Token: SeAuditPrivilege	3760	fxssvc.exe
Token: SeRestorePrivilege	1568	TieringEngineService.exe
Token: SeManageVolumePrivilege	1568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3968	AgentService.exe
Token: SeBackupPrivilege	1108	vssvc.exe
Token: SeRestorePrivilege	1108	vssvc.exe
Token: SeAuditPrivilege	1108	vssvc.exe
Token: SeBackupPrivilege	3616	wbengine.exe
Token: SeRestorePrivilege	3616	wbengine.exe
Token: SeSecurityPrivilege	3616	wbengine.exe
Token: 33	2440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2440	SearchIndexer.exe
Token: SeDebugPrivilege	1700	alg.exe
Token: SeDebugPrivilege	1700	alg.exe
Token: SeDebugPrivilege	1700	alg.exe
Token: SeDebugPrivilege	3536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 1684	2440	SearchIndexer.exe	107
PID 2440 wrote to memory of 1684	2440	SearchIndexer.exe	107
PID 2440 wrote to memory of 3668	2440	SearchIndexer.exe	108
PID 2440 wrote to memory of 3668	2440	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe
"C:\Users\Admin\AppData\Local\Temp\467a61a07498f467be1e2dc3f479efddd779e763f928bc27963f11e147bcf1ca.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3760

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:876

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2852

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3236

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2856

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2224

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ab923263b4256bd4c0787e0104c235c8

SHA1
bca3cdeec6539b44c19cd8cd8bc8ab3cd677cf75

SHA256
d986a3af449694c06daea4fe9f916e984414e484f34ea26f80595385dafa204e

SHA512
162edf76cd2335cebe48936c0739b6a9d3729b381f5bac4193ca1c4be87ede5f166b26f1b4ca14afb586aeed48a0939ce86919a3c74871db6659ea6e80814d36

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
db724c151b257d6f930bc4e7f499d3d5

SHA1
1b81fa6a14f6935d23700c462fd84ad8d19f4f92

SHA256
6655cafedf366f9420c2e28cfa04888c9ae51944e28d42a19fda86da396c466b

SHA512
4d2da1a6b830c6c4158eb03ab8907deedac9523203a0ef79e383cfdf87d5757f531f5d615d8e25df8bd70bdf86bc436dcf33119bfa82636ae6d4c450f49f705d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
d0c6f1f8bdfc4b69878e69cc0a26af48

SHA1
2b27d84a2a83a4ac81165bd5ec352fd76f9603cf

SHA256
ca582224e8c00f0a75c6f983706dae45141f0095b97f712655b2a3e2adfb1e6c

SHA512
93ad6c928908aeed90633c1f6b593dbb5d53a3900e3f627522abdb66e3331335e42a5e06d2f7aa6d44568f6be886f168413e47350e29d2c737c0c395c8d34d1b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
da8e5e74d11ab7befc87f9eea9a06e70

SHA1
e876c1258cd264c3ac6aeae7c9120bca84cffe7a

SHA256
7c7a787a6405924d39f9608f9e131ba1b253a4c3fb46058f3e299eccecc9cbe2

SHA512
0146c6ed5cd7f014152b9355442d141aa5547ed064e347832fb92fd6caea268acda232387526fafc7a4c12d317ad37ee6dc751cb2662a9853c2e59e36d319f22

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a0da51412ab0250f56e5790da67e51c6

SHA1
10fda842163061fdcdcfe1f4ea58addd044573f4

SHA256
a3d1a243d4120dc7fe582acb9a0dce7c4c442a37a372d07a695ac7130cf4b27b

SHA512
7e3d5e50f57d798c20cca91dc9208dd5d7187dd0cb860068471b965745a35a253cb3aef03b757fbaa9dd4d8e5728c54b02948be6372200169c717b65aae27e1d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c6bd9c321655ef52873ab051abf50fa4

SHA1
46b49a068b9468783ac02fa9de396cdae5623ab8

SHA256
6d5c06ed6b4643b418f03de80fd6c793b5a113e7194c44259d1c414dbf4b2560

SHA512
531ad17da526feecd8acc1568d66998f8a8be9b60e0ed79a0b9dce47030d124a2de39d5a6de6be484304e5c8ec1c0b57f604444cdb17348000e0e8f7a385b8d8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
13f281b6ce5752b2e2f3fbf9eb5cd36f

SHA1
5f21dca7e908b07d6b2e6e50a267f196696a9797

SHA256
17aaabdc91e4a7271af4e1bc9db606ac004f1e44167fa46e21e9e750627345fe

SHA512
807536a13aab21c9b8815960bb2721b571c91ef168050e90a9071ac02f9fa1813f395fdba1abc05bc28b91cd65b2fca00b83e3577b0a578a43ee91a4e86b1a63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a0aadc71f8ada56559685cf60e2bf649

SHA1
0cc3d602736471eebb2f8d06d859fdb54a21d38a

SHA256
bde65b49bf17c0dccf167e2e1a2f62a641db0928658cfe7df1cc3c039346df3e

SHA512
5bd7dc5d4f120a32acaa0b1a01681ea37686d7bde3c275b9093e09c91dc5e37264f72c98151b464f0a9e2c96ab24a4c5725ad6932cec2e5ff102de55ae883657

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
a4749408a0547930782c93fe06393e7d

SHA1
0d899b303dc424b958fbd5bf4d86981bb763244f

SHA256
157532b492a6263143f86ad542d5ff258fc14137583a8241c9809a7b4c764f83

SHA512
6ee843e4befab826618cb1ddfacc4caf840a6d3eca5ef5dafc0073421834a46b35ca07794a764e275dc658c956858e0c7664649c4be7bec57eb34412a0bdf684

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
256e538409fc02798e81b33a02ab1c06

SHA1
b522d3bece7ad44ee8d384b8a165d3552589ce33

SHA256
83a034ab40b839caef1433774bcf495e081577fafee1d30b0cee60e2704eafac

SHA512
4a491053d389528e84dc64b6f27bc1b2c3f772e27302c7dda508b1bbc4f8c65cdf7beb2f33a5a480084955db8ac5fc0280318c871ffc0e727eef23a4842ae8ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
96a0fbd96e83a5e9c5fcf43ca3e66ca3

SHA1
60da795292a5470afec36bb1627dc4cf70a0deea

SHA256
c6aa9837bf2cac21e29179b083ff9e68c468a12cc6855df30601cf2a7f5b95fc

SHA512
46dd2319f91fd0545ce810444cb0b1d121c950c4c532d68945f6a8a8e5f7f9c2611e0f2c1f785b2d550954e063bad546f3c6ef2fe934bae9630e48120f55914a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4d1ef62d5bc621fdf95be1c676b8e620

SHA1
cd0d080107a1d0f9208c8f6185d890c85eccc13c

SHA256
c7a569163eb34f0e4f0c88d7699fb4e672675c224f82b86f11b8a31ff92667a1

SHA512
eb177499bbdb50da5aaf1b4aae705aab303e234e9d7c6e56bb10e0ec4e1718148a50469b9f7f1cb9707aab1278a3f4047196acffef21dd3d40f1faee1154be9b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
bc456029cba3f9afc2af5c755c55dd32

SHA1
21efaa83c36e2e343ad6f35e6ba064cc6fd7a757

SHA256
f0022c5cfd936f01dd4b278a0ea793cf439d0833450d35631223dcecbe27118e

SHA512
310f10077c9d59da3414f05a6992d7a0fdf412834617cd7c09e5ed1530aedb533b59df903cbaf09006e12b630ff4ebb39064c6fdb17fd880aaae199599a52d7a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
72d1038a137ac3b770f8381db60d8d5f

SHA1
83fa7d4e9db529dbcd4bf358e6a789777ee2fd00

SHA256
fcfe28f082816006ea4cb6bd549489bbc2d44ad11c29e15d5e49f2a38d5c003f

SHA512
60afb7b9711c62ca081db0a2e81d5775093097beb7d5f1bcd67aaa32a1a02018565bc6cf4c1ee06d6f3df3adf1d96e7be6fdf843064a6616b50e33cfb43d9cfd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c57257469d0d3bd782d49c2351dac642

SHA1
0d47bde74be7e11e7d6c43211381376d79044f98

SHA256
fe98103c426c42d727246f9cf6d2fd46f6bfd94e435147d4437a213d7ace5d8d

SHA512
e4ee069333ce9dbeeb05d2fa2dbd9011dbf39aa64340680b7bc31054fab51c0be5b493f7966f82613586f973cfd0d18c2dbe2a4256486251d9eebb7bd2f7ad2d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
df11ca9f5bfa5f9c087f8e68ac4e83e5

SHA1
cdff914c2e6883f9956c80a7f93d060f05f6f3c6

SHA256
9498a75bca7e8834661b6345873a7249b4f8fef05fe8ed5b2f3d5494d11b9bcb

SHA512
09c7b657cdaa6180ebdbf44350c1d1bb32b7d140b5c9defed3171461c395300cecf07bff3c3cf9e92081f1eb396b5dabf0993744faba4856625f84059a6ea131

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9749adcf57351c0b740dfde09993f966

SHA1
109a4993d4ed6f73e5d5a47d669d391e34759ab0

SHA256
15c890291ab25297bbc0da4a7e96e5d2821294dd902a100b3c69ec9656cd4003

SHA512
43a4cbea6c6f92cd1cdc8d748bbf1abdcea390cd1e20baf3c448dab728a4f91dc478ca76246aebadc64815c03cba974d2cccb6e50c9b76a5212fa8186edc5395

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
98243fdd881661129571139e54f546e8

SHA1
9dbf94a011e40c32f8b74b67d317e17e2456a215

SHA256
fe37fd61e622db6c52d6d665a5e9a3363b82e85c4f35440ebdbc4ae97e873bd5

SHA512
f77959cf7f08bdb4ca7eaca3af4c55c60681d64ab72c8442c8fc4782d09c1c05677f706cca5f0d73ab293d66063fab5004ec86145af175dee10b6b452d123df6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
56afd91a6954c28e0ab347a4988dfaf7

SHA1
d4260a6f43c14eabb899eb2c45c0855e58517222

SHA256
530ab909e9e12a6656ad4ef509b281ea25ab935861a65862a08bcd83e4e7be5d

SHA512
26c75c578fa4d83daf3970cb57b49c81b3d2d62c013315cae5407f47578ad638f2d0ebfc48bd96c999616c69ff1d21bb09a8c86b424024483eb8a80484904195

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
885da95c7d1ea900b650b5fa2f1cf5cb

SHA1
918b96043750ebe6d7455afdb3e4ca03aab4f57d

SHA256
23fd8a67f4ad2071c1198d04fba447f5c225cc9dc5fc5296ccd46c77460a6026

SHA512
14cd4d006764f2e5728ea20e2309b950d7d8758ee1cf5a8a2ca29bd9ed94e438181c9a550478db17495dbd9c072d447d4970fdc2ea3e1deaff7c9bb7a4060e75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
999d451282f5bff8f07e8e70ebfea252

SHA1
650aa802b9faa97b8d432e0b3605268521143da1

SHA256
e0d14c984ea127b2174c7a5c3d2cc1a0080451db7e4e2c077feff024d68c5ea8

SHA512
37fd177f0e2b258d75859b224a5aacd988abef5a4d72242f488fa8f67222e31d53852edfe7643db14b7de644a58ff5cfa7c1b17e09db8190770ff441b0b7a3ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0551c71bc90f3a55b17b22de7253eca0

SHA1
c62c0c70c9a5d7ee31a7ddb5e0e59b94713e696b

SHA256
9bb0908d089c824cf01e58254d8b26fcc9045f702f2ae716bc7bd32a18c006ad

SHA512
b1e4cc5a1a667662b0cf30068da01a154eb84f00f558e7cbd126bfd216fe12cd8d338ba3e362e6f299fdeb1c052cfb4887fc8e802bfed9feff21ccb369f2521e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
36b2f1316ffd8befa119576633428a8a

SHA1
40af282b01804f22a95697c26ac09abdaa6c6c6e

SHA256
809830eab1b432f216616a1e51e088a91716845102ae37fc5789d9627487cfb1

SHA512
9a88025a1fdb30a5ef8f70901775732707c757e1cff2afbe2c15c6ddfd1ada437d6624dc39763e4291fdb7f78f3bb7ef778ceed08f98555a1e1d1caa4bef39cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
7186e483ca8cd5335867ddf30d742fd7

SHA1
945f7cf3474682c6820329faf9d31ee64a6ff647

SHA256
897aa72c3d8f4c2ef5455646894abb063271993f04ae095f0bc5fb2f988b39c7

SHA512
23e3e5fca6f8d2c47cd2a485d393da01ee53088e652a39575cdd0c9d850d1847e563e88ed57f7a2645122d0a9fe8688c476153f0c0508a816b1dc1e9781c6ef3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
ce73ab73092e3b03d464784c069ee977

SHA1
121bf12fa82f79b69f0621596355abd1b030bb2e

SHA256
674b9477cafc333ebc591cc4f1fd98799ca4587e14bd1de542d655abad81d461

SHA512
1dcc8cf7569cd62ff5153fac220bd825c833ca41d2073e194a62ed34d859e3b85503179c9a5cece15e04654ceb4636c7a5aebf33b9c122ff5c0b7f5afa61eb8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9c72a9a9fc79bb96e445c61ece08d551

SHA1
baf88bf5f1b64158d037a2c14c702fe53edc12d3

SHA256
59e91e69b692fbbbbe8179a6616abdae34bc624ee7c8aa6035fa238e12592521

SHA512
3562bedab4b64f70584d2ceb648f6e1cbb706157294c10789baae51ac7988e1f4c9db7053ddf38988d5f5739ed62e3526d23aea04bc436e4b56a0a1d19694008

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
ee8e003c3f517b5ace404e3781eef966

SHA1
aa9afef3879f4bd5fce908dfd56ae2bd7ebfbeb2

SHA256
f4e8503d136daf6f6c595615ebee164212e965ab5c93b9cb7255fb6faf8e256e

SHA512
46f7800a55689ed2abf9e372685aa5aa7c9b998499430540d6e3ca1eafbf52f0d0994b24cd1a3c850f259d99af54b2c825b48b12e0f4816c1580a30fdc332546

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
1bf7d6c18df097313bafa7ab37a8ddf9

SHA1
21e4b428ec2ee7d485ed4cff553ac0fe72a51063

SHA256
34e60ad1975abd0e2773abfc3163816d33ed9d0dfa355a97d2516c78b9b94827

SHA512
a65fd4bc1c76a20ce06535cea4271cf788a440d44b2026fa7079496927da13ab926185857244644215bff3fe7fe3d2a5e0c09743ca8dd287839a0f60f6f5a80e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
bc63a346ff15785a4b69bd4e314bd188

SHA1
0c1a32216af59d01927064fcba484c382bffaee8

SHA256
013424452983432ba91a2eeb2191f4e8c764a1949b8a7e5cf1c6dc08062c0ee0

SHA512
952efd3e7026d4ce1d7529f7340f0016730a7d28d284390bec7aa178cbe3e392a5aa42d3c0ea7c07d0d18a0c65b5f2e958a52288789aec05df0e79fd404bd833

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
314b5c7080ec74c9d613bae1629cc145

SHA1
481166b27967d3dda8b661b58b2ef421bbba291b

SHA256
0319063850c0efe17913917eeb5f357afaf11a38264a8f6136161e8671812157

SHA512
67493a42709462671ed134bd82db19cb31b5f08078ee00eee8319a70859e4756b535245d881e29a8eeeb808e62b1e9be2a914d6eb9872a5986d7f2168259ad43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
9e6d69fd6539abed5a486d9a27d3af0c

SHA1
e689b9dee7eb55683915b8e122f1555d36a964dd

SHA256
ec24cbe0283e181ad672e466852ff5a3396aaee6d31db4232be637c5e29def83

SHA512
fc1e3c2169a8d9dd2c2f929e768be59a27b66173d9edce73a6ce26ea3d4c699bd3d68eaac7261d2cd4a1000cbcf408ee07e3bb37196cf7ac83742d79399231c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
22af94962e268405689982dff32efa6e

SHA1
abddf7463f8a85d8bebdd3d6cb810b86b08401cd

SHA256
8a5c7c025c6211e0da05d5b4265f830b088f0ce175ca2c12f8d2191802dc77a4

SHA512
d00f460247f19761c53ae0c8606d68ed31c6e721bd8167ca66947972fb1a9e6d4c4ef63ffad2f9d5009f6dfa46e59d8cca76a56814ce63e4c4235a05dd5328b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b672a22174738684a1050317213ff45b

SHA1
76733ce1b0f9702d00cf030136a8248122f23cea

SHA256
dc8a6d9e9aefdea13955d4ad58ed080b534e0d15da56877963dd7c80970f25eb

SHA512
95e59add167698fee56970a8913b76749908f1c1260d998a3e4e692ed964d4ead6bfa63871d30f50d0f1c632a8a9dc9d6563f08630568bd29573cc6e58c6d07e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
0ac80ce10a4096793b9416a6a335e985

SHA1
4089acc194a03746b430f2eb1db6f70b09943cc7

SHA256
95308ef9570cf42cfd4927e2b6d6414a329a696e975a633ac15237ff61be507a

SHA512
9e1fde1ec2345f9c7b429bfa01c10c05257b2d10ac10225c6635f26ead7d3e011e98659233680def98854059f1a6ab6b16a9ee496ec432d281e87eb1b886d1d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
2ac51265c52c1a838880dc43c763f9b5

SHA1
fcd14019893610c329b2ec24e89aa6b0a119b5f9

SHA256
723c24c86dfeda263dcfb9b880925052b5fa6397b3915e7577b14c6f7623f74c

SHA512
8c49ab442a5f0efd9faca332f86bf1a8c82993ef5e0a6254bd4466ae4234c9678409191d6408813a2e3904d394e7b656d8504ce7bfc06ff4d8596e4d7a47cf0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
c67df3adb777a6d288ab6e654d2d2f21

SHA1
f93f7df00316aee29b712d73aaab8dd3334c0c11

SHA256
a5aeecf4d56a94bb9185c4afb9ba135bb72ce1dc84dc84bc87c0ecf02882c26d

SHA512
76b41feaf098589bc469b797f16847e2512c30bf3fa862b1e25cbc4105b3d98cb2310e1bbf51fbd4c973664b9c4c3882362a492b59dbd7e875db38baea0f4eb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
406b818ebaeafb1953713c9b5ce7bd41

SHA1
23c0af05c81b41dc494f6a840acc38b2516c98f1

SHA256
7743c76bf53fb53192832d53705a7d0e104ad7cf3813eede354493cfdd37aab9

SHA512
a54ee1fde74c9eeacc41f29242afc4190cd5e2fa3e29ef913a1fa54dd6dd8ecf2d8e07fdb0ed316897ab799a1b1f3fdb74e493dbd15db422675edcd83673af9b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ca436e7fbd6b9dc556a0abb087545507

SHA1
35e059a299b1b64c4e74c8998f1f31231ebc4a68

SHA256
79578344d57485a46340eb39db42db1db6f98057206a7ae8bd7829faf93f8c43

SHA512
8a3ee25c900eac9cefd8bf3e17aa11fa419bf5409a13d5ba8a31940ed5c093e46b3e78e6967bc2cc7199bdac6b7ba25f98285c3a5823a93dc46a1b08ffeaa043

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
f6e5ed1c0fd954eba65e7d4552c33ce3

SHA1
35ed433ab263fb734115142d2c1d00b0c09b5748

SHA256
6f2e4661fcf191dd271582cef734b0f9488bbf64d7c10e9a749289fc710b2df5

SHA512
cd9c949d1ecc250094b6c79be70288ec44aa997360d37ede89160beee0627c8f6bc513690686a72f65a20ee88290e1d73bc7dc9183067f4fdfd76bf812c3b334

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
816f36f726227856c7e68f2458a8a0c0

SHA1
5e4e4af7565bc99d3d443ef97c92117e7ff8223a

SHA256
3f828135ec0f08afad2a073ae375dded36942533fa71f77c19d2722a71067062

SHA512
9242d26428d72c6168bab4362201eb04a4f65966d116df5ada77a0ed54a1f91e0991d2d2d0bf723e1ab04484d589c97539fc8978154516497ab8bc4e4539cd84

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a35d2bf604ab3bf764c07e8f6dd22831

SHA1
00265e91a5641870aad7773f556e2e00b23d6e1a

SHA256
c4dcaa639a7c2d6e85ccd78f4eabc4f98124b5b9af11a64d12d71e2356dc5e02

SHA512
a1a9ba4671eff11df2e243499c4a54d0ad9408b3d61723437a740aa90c1ee4337e7384ef4e1ed2435005d3de918c11b928629f51a589db7fdde720cfca5dba81

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
3e488bc9d7a5c17bb6679b319f2a580c

SHA1
91d6f5d567d1bdb1363bf3dbeb0d681a34d06d65

SHA256
84a37b39b2aef0647bfab4d02fae227afeab012154fcc1d2f4ffaae75cecc0fb

SHA512
1b77cc28c61af313cd2c4f24c7d559f67804c0d7daf0883ab2407b1755f4f19692321ce8adf8df81fcb0be8ae1952e7c3626702c968f786e038ef04f527371c9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8d26bb55a95ecccb2ccd993a9fdb7359

SHA1
e0537bd42b693d4750d7e50a857a7e05206f43f6

SHA256
a165c9372f010d977e277ea61966f36e820caf3b2b5c4a47e099fd060571c997

SHA512
1ab4b857296b199471bbaeb3624ecf6210e43cde9d13c67e3121040dae57ff9d8e9b41863b28d98c9e6e760720435d9c8a46eeeeca5a5f114e55c98fad6d7b5e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
230de542350317398dfd50d037a8c4f7

SHA1
b1e09148aecec53a38213cef89b3aa3ae4f089fd

SHA256
d812a46c57199d9c6d7c43bbe91c5b364a1d2cbebf01961c8e4fe5cbb06756a6

SHA512
f4452f56917f66ad6f019d4c1cff71564b651fdba87be8c9c4b83be030dfc47e5b565749416f956495bfb8fa2dfa219fc84164316f532cd30099a99271fbc7c2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
ae8770612dca5cb577efc47f9ddd81ea

SHA1
730621248e8c101fb0c263e0064dcf3a4f52445a

SHA256
91b89528f225a9178d54c45ae05efc65f75286e0b1d94b5d139e19cf704a0ce4

SHA512
72b3ded3009730a37e23d1880df8a3f0473e0e2789d0e6120192db770928606a7149471856f780175482f623b61c997dfa0388cf277e78e35ce8c65d9f3fa0af

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
54675eeb8f21eb24187eff28b1d608a9

SHA1
65094e03239d0cc35062760abfb1da1696c2cf66

SHA256
cc82ec531f9d669d9ec22e1568f4973c5aecbdd36458e8cad8d08c09d6b037bb

SHA512
f652c7814be3617264075b277667038e1d17a3ab23fd4a3e50af0aef4a944063d885891bc7802ef334037738b20ed64ee2de438ea7179cb28334a838c020d6fc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
36e0d14c6d633e1f8f967052eb8884f5

SHA1
7ae2016d7b44a6ffd4182a5d39083e29c8eefd73

SHA256
4d5b74128be9e21054da0b841dd8c7ae40d365c43f690a4e109e3419e27d978f

SHA512
ae7c9d75e87d31d013068a14a31a4d22dc90eeac54c755d34021a558a9917116bdffd6e25fa36434952f690a82f3cf796387ab7b74532409474281abd56f56d3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
22fd9a7de65236d8257e5c9d07418b2d

SHA1
8c130ee8ca36c1808cd31c5ee4f7c8d893f14bed

SHA256
2cd5fb8ca797ffcc939a4f7f16b20898a1251809145cbe028ab96ec958723ec8

SHA512
69b0c1e413a9843173fa913079c42d66388a57570b887c66f66513e560c5190cf841acf24cd1dc49bd5ee17a1e47d4e3b1bdb17660b763f78c36a3860f627090

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f89bcbcc2efdf213b72e474ef21d21f6

SHA1
41fcd5d27f5429bfa6912aa4f0b6ade925045c86

SHA256
b9b904ec87df981f526dae4549359469e569c526824c563248e8f7f1f257a644

SHA512
5bad0381929a3317aa16fbdb9195461b9be40bd63b90529c8bf6df19cf482a90cc2d4a51a4f409d8e3a68ac06e059de73c4c1cea72b461123bb04149596700e1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
bf0cb1f2053d231c9072d2e673043b84

SHA1
bce8909c6c639edb4be6be5e54744373f57d0d08

SHA256
3b6ac3dac3d601b6e44271c97065754f127f048565085edda85097bddf90280e

SHA512
cfb720f5060bea30539768a76b434a8b0c60c404153fb74d65dd2f974906c8a40202f602aa15729d7f98a1f5244fb838b149d9325878ced6ab1ae8ea41021159

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
529b69d57d785172a14dd7358f9f0b62

SHA1
8901e856abc740ffe565c7075853577cfc66c6da

SHA256
34a0e9b2d4977c754dac9b3aaaf40cead083b507000b724d6a689f806994f868

SHA512
61e32df55ff1c16d72d36e9ea0fd5bae3695bc27cc119f331c9881e2249cf681abe471d4b49410d87869ed41f3f507f6e502f7163f25073a80492496fc7bfbae

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e90a620f128002f89d34f0ad22767dbb

SHA1
91a54eb9605aa4706e5ae10f6a3d1c68e584d6ab

SHA256
8537695267b63ac8922a15ba29c9d90866785ba14bdc4f2c2586e5035221ce26

SHA512
5c294dc11fb88fc735f464c7ccd7538ef00b04edc8cc070fc411b102db2e0d1671baf1bcc05b9126799292e4db5b7e7d0d0c0fbccc423d583d68f3851d91ed70

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
658fbf77da0907cfc20736b54e04dc49

SHA1
b18d9de7fe921389e5a84ec34a1b86908736f830

SHA256
4c6e46f6f044decad23aea183369bb8610208d7418f661ef2b9cdacd3733f6d4

SHA512
ba94ceb5696acd31cd230a1c8f479796179bc0ca03ebab1d17c44f017132499d651ffd45321cc19dfd7fa51b260b452238d53d8bf49487d682b2733fa8620da2

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ab5af04e0fefb86356d1968a7625a75d

SHA1
1976d63620ad8c2d0c94b85dee6b1fd8db1fe22a

SHA256
bd52f351117bfa9589b09dd6bee7e33718da74d5d1ff43dd1a9935d790e65336

SHA512
a0abf747edceaf8ea1d213f6d873e3afe4580158a8c64b6a54249c5ebcc88652ae1859009f2528315b67f4804ced2cf3680b870b590487746aeb6f9e0c64caf0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
de7282c21cfb1b4fc85b225b6b33c065

SHA1
476a7f8b8124032bff2f5f8af22379dc298dcf2f

SHA256
314cf0227b21234b1045d459ef09769eed9b538c1619d185caab6ba21ea4de47

SHA512
bbfbe5418cfd22f9be871dc30cc6a78369dadfe1dcecb8bf35a43318607d1a9a62d2cc648fb7f0ea68746d713e5069399988d4e65811dfe7d83e3a95b726ed00

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b708e8dbc0072dcd63ca8b177cffc139

SHA1
8de20a2a57c2fc8dacebebe01298d8b2a54d1845

SHA256
7095dee3bc7b44f411cbfedc4f61757b76caf39f3121e7a59a9d776f0852274c

SHA512
2d69e6fdea13174df4b299267532a6491d19baedaba4f170bf11b7373fbbe37b2f0d57d8a30f866a6e35055b19c697abf376cae980aadde4130f52450ba99a50

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
de6c4951a82c68f19e57c646f52430ea

SHA1
1431111cf2d9ea3d38d21d0ea34115530af3de73

SHA256
bafebec8f32f91354bfe38fa95c0d61f8eab76525e326835d98baec9556d49c4

SHA512
557f6f87574f07583087bea2aa7e9ab761282e4219518746ae95f7892102f224e1c0e903f43611bf500a26c3e799aae949540df38b41a7b0391caa486667332a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4e7459abb58fa942af20424a69367741

SHA1
97ecc2f9f79f2cea0d706e9767d003844b3b3409

SHA256
728211057fa39eb8796b021f776fa17df8874bc2727fd4209414d949507cf752

SHA512
07f440b918a2d299d50be9a64aecf5bb77c9a402364ec13642a19aed1abccb9a7eade7eb2e629bae59b6f15c0fbd17152d5bd9165b43c87af641f65211b9c951

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
4b69d2127152c15a7b32577bf78fd4b4

SHA1
b07cd6da8e2a61698a1adbc429203404a4909155

SHA256
eee90590dfcf8850a1405bf7bbb0cfce82ce1f4672880eebf34f0c0ef0be406f

SHA512
57be360c1ad4247d1a0025177daf3fbe7413a05991dedf2cb3054b7a3356b38da84ec1c696824afa5b59041e746c1610f5b2feb00f87b1dbd7b5e82786125f8f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e88f8b3a17aa527f216e17591674a1be

SHA1
0f15464ecc30bff5178300558ba0a3bca60e0a38

SHA256
6284fdcf64860d0753d1f70baeb1c5cb834a6dc204853cbf33c5a98c048df56f

SHA512
c6b35cc14ff03b848fadf29c174076f6827ffc63ea83341744d98780efd6b487264bd6f3898e452263464790b2c54aa1384ef91c7fee032eb36cebecfa411d68

Download Submit
memory/516-241-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/516-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/852-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/852-58-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/852-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/852-50-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/876-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/876-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/876-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/876-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1108-580-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1108-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1568-192-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1568-532-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1700-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1700-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1700-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1700-91-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1940-156-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1940-343-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2008-585-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2008-262-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2172-463-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2172-189-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2224-420-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2224-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2440-586-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2440-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2632-579-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2632-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2852-100-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2856-584-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2856-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2856-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3236-229-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3236-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3272-217-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3272-104-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3536-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3536-32-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3536-118-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3536-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3616-581-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3616-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3760-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3760-39-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3760-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3760-60-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3760-47-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/3968-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3968-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4080-139-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4080-253-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4828-81-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4828-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4828-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4828-75-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4828-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5112-8-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/5112-538-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/5112-83-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/5112-1-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/5112-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download