ff0a60c487c841636d024e647d266c229c96c7334d085c47d535754fc390b412

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
Size

1.9MB
MD5

f8bc80e73c76d7a23228440ad8208980
SHA1

01bfca9e19f50d47c080b971c0264531697fdea9
SHA256

375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a
SHA512

6253d13dbac1a1b5742f168b1331e2a46c94606feb0f3508f036bd5d5db272bd7821e33aef739bb67506e2680cfe613bbf6a16c4fe340c64e76957c614d16dca
SSDEEP

49152:ah+okldoPK1Xax/jnZmrRsWgFIDRRAubt5M:zlcPK1U/tYIUf

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
32	alg.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
932	fxssvc.exe
2452	elevation_service.exe
4092	elevation_service.exe
1568	maintenanceservice.exe
2624	msdtc.exe
4140	PerceptionSimulationService.exe
368	perfhost.exe
4256	locator.exe
540	SensorDataService.exe
5016	snmptrap.exe
2364	spectrum.exe
4260	ssh-agent.exe
1620	TieringEngineService.exe
2044	AgentService.exe
4424	vds.exe
1308	vssvc.exe
4668	wbengine.exe
1460	WmiApSrv.exe
228	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral4/memory/5084-0-0x0000000000400000-0x00000000005F8000-memory.dmp	autoit_exe
behavioral4/memory/5084-78-0x0000000000400000-0x00000000005F8000-memory.dmp	autoit_exe
behavioral4/memory/1568-79-0x0000000140000000-0x00000001401AF000-memory.dmp	autoit_exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\311babf5983eaefb.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5084 set thread context of 1920	5084	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe	89

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1308	5084	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a90db51eb15ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2e9501eb15ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045141a1eb15ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddc42a1eb15ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000093a401eb15ddb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cb77fd1db15ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034d73d1eb15ddb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
3272	DiagnosticsHub.StandardCollector.Service.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
1920	svchost.exe
2452	elevation_service.exe
2452	elevation_service.exe
2452	elevation_service.exe
2452	elevation_service.exe
2452	elevation_service.exe
2452	elevation_service.exe
2452	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5084	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5084	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
Token: SeAuditPrivilege	932	fxssvc.exe
Token: SeDebugPrivilege	3272	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2452	elevation_service.exe
Token: SeRestorePrivilege	1620	TieringEngineService.exe
Token: SeManageVolumePrivilege	1620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2044	AgentService.exe
Token: SeBackupPrivilege	1308	vssvc.exe
Token: SeRestorePrivilege	1308	vssvc.exe
Token: SeAuditPrivilege	1308	vssvc.exe
Token: SeBackupPrivilege	4668	wbengine.exe
Token: SeRestorePrivilege	4668	wbengine.exe
Token: SeSecurityPrivilege	4668	wbengine.exe
Token: 33	228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	228	SearchIndexer.exe
Token: SeDebugPrivilege	2452	elevation_service.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1920	5084	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe	89
PID 5084 wrote to memory of 1920	5084	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe	89
PID 5084 wrote to memory of 1920	5084	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe	89
PID 5084 wrote to memory of 1920	5084	375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe	89
PID 228 wrote to memory of 4748	228	SearchIndexer.exe	136
PID 228 wrote to memory of 4748	228	SearchIndexer.exe	136
PID 228 wrote to memory of 920	228	SearchIndexer.exe	137
PID 228 wrote to memory of 920	228	SearchIndexer.exe	137

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe
"C:\Users\Admin\AppData\Local\Temp\375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\375aead10728ec8de6d9f6e13a1bdb21563385fca54f367370057144f219488a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5084 -s 772
  2⤵
  - Program crash
  PID:1308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:32

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5084 -ip 5084
1⤵
PID:3816

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4256

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2904

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4748
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3d7288718d770b135b2c2a8ba4ca1871

SHA1
ffc4a19e3e88dbef330ef0a8fa315d87c9adb592

SHA256
df46774b3ab75f37faaa4a06fccd48347e4e313926496ec04f865dd7b4176d5f

SHA512
a93fecea335a23455fd4e7e738f9b86e1939b8fb5192969c1e9dc3cecc544662bb9603ecbde15e9e225286a98ce1861edfa88f1588a56883bc34fe60d45d40b6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
8ecb60e8a46c85a905c98593b7d81c9a

SHA1
1d4e69f3c97b0b603abe826f6235c44d12e9b342

SHA256
b0f411c33261e4cddf12171cfd47e10e5fdcb2a117e217cf4e97b812518645cb

SHA512
1f31a8456b0fccaf6d26757afe36d41eba8c3083462b90f4c0fb265b7dbda9b00eb737abf19422d49b4c9d0387593d79e13077f4d02f4082e428714ad70f9f1c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a7d77468ea3e765276af15ddc3a44ef6

SHA1
aad1f3a5ae2fd434ff8178af2058c0673ad09fff

SHA256
854cb3bc78eb31e6119c8ad2ea5f81678f2cb05173dc1009785a860d8b88c9eb

SHA512
8ea9f6265f51eb4bfd735338ad77b8be2f952025578fe98a5fea0e778c2f3973acf06ad1a19c0d32a43f1c6a747f2dca9a7299d79603411c9bb6359b9716355a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2ec45f845c2eb0c7a0113eeb405730c8

SHA1
848a766692a9fafde10a5a0a9e20092cd74f9281

SHA256
6bece0306666028e69a28f9c7d9a3d8ba32b42ba99e123bba80d9cd712b7a109

SHA512
ebc84e8f6ed60de2564913a8eadcc7986f8ebfe5e398541a2c815635e5d4030a128e166526d616841fb64c8e86e8521fc35347e4e8c0aeb3003e63e254324bda

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b6ee9d17b2e7d780b55dae35cbb88b4a

SHA1
09c7abd916a6170e5b17ef2bc7059579369b59f4

SHA256
34286eba4f0c5a645f0a39fae26e13bac0bcff321fce4529c538554666ca8fa8

SHA512
83d3293873d10eca06aaa124a8ccb3b03d9a9e3bbded5151fd700042fa55cb42255f0beac70ee0b362253dc374c1a2ebfe7ff87367fd6b881e45dbe29b13d02b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7f684de1bb79ff708e33309e6347c733

SHA1
9373a93758aab80485f9968da19186988089dc03

SHA256
afe0d90ace30b518f9b292745915e212811ef877b42e2639a34e34facef882d1

SHA512
cbaa52400e1e49606532ecad622d181019131fbf5c8c7f98a4071e6374ebeafd4dbaf18934c76e983df9135b8c7cdd885d8ff66bde0119ff0bcc0d6e0cef8802

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
83c318a73a0b72c20b52c56e8fc0294a

SHA1
6ac959f701993f0bbe3be4035fed1d00263ad01c

SHA256
969e56ff41ab65081f66314a7b8debec47ab65cbe2a8748894a461c97c5ed9ef

SHA512
cdb2f191b0a6168b2b0ba5bee1f3266a00766776374daf88f11392c3c514c2966b99f814fa220b848243eb49fb87994a03c7364b5ff60462971b9b2b90b0fb77

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
30d34a3797914aac587da7ebd6233cd3

SHA1
e4c4bd60c96d1e42814d08b90bff0e40c6737eb4

SHA256
613de7b480c97e82e28c3073e8ae0817df7105e62c04fc0d24187ffe6003c9fd

SHA512
e819874448d3b19be2878a50f3654e9bfba774a97d94566ba432f9a11cf8e5172433d5d5fd9d305ab582a6c12043f2dcb219aa48ccf05810d97425cbd1108280

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
37b02611bc36eef831984178a72c76d0

SHA1
22d8f71d459e7c63e3648306a9b5ae5053df7ff0

SHA256
be84fe80e9e8e6f93ed5afed2acbb59af9529857562e5e51239b461a235845df

SHA512
8b225f61cd0d893d3d535801073faaf27e33842c1724b2fc06b094835d9ec2ff7d8b4323c4ac1e39ec6ad87dbe10da29ff32dce37dcef5eb01c8ceba739cc60d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5caac899db4199876aedf97d58031840

SHA1
be636a9ef18c4cc739d27bdd731749411c96bbf2

SHA256
1d5c6cb326266a1cc6ff9efd2303dd2a84fd7da7ddc4f4773c21a47982a5205f

SHA512
ebe4fd7aa57139021fa805e6d740750667e1c098bc657a4f93f58f1408113b61c1d4041285a30c239fad40ed4cdc3b21708bee2383c208155cdfcd44c588e62b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ba6e78528c2ff1f78ebbc303dfc3eb1c

SHA1
292e439bf52cb2610d8f5245c13488870832d186

SHA256
40e8502470949fe672c83611cba95a2ac918a9b75b0cb37161e9925ac61630ba

SHA512
989ab97f9e12c2bcf6a7880bb61ead304880e47f0dcaf4dda4b9eb50901c67ac9e2a97ec376c32773c2a63ab1e7242a5f8d8609c655c7fc38ac96c75caff0263

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0c2b51cd3b0a64bc5f3c4749a1ea314d

SHA1
693e82a34b7c752c0bf33cd31cedd0102c6b3058

SHA256
c3ce326b7ab276f9c777f819bfed031da8d4a4e40aadd88384f64cb17b1f0a24

SHA512
b4e42ad034ebf2f0596badbba34044220cacb5477bfdc51d6a6977b1ddc12cb385ca6922d78866643b77e6eb790669509c8c35ed301d59b9b079d424fe35c77f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
9b727055ddf1ba2d87baa93f05408b34

SHA1
c86e2fe3b1d5aeab75a9d2213a149286d6400e5e

SHA256
c9cea1c26c43e66599d2c61c0e1dc6fd991d55c5e3f593a73778dfbbebedbd3a

SHA512
cb557992558f733529962d1ffe1123e102e2805a8f1f728c4c65068f77bbb373670ed783cf14aede75f6339ca3d4ac0b4c0990a2a0f4d0e888fc072df3c0b812

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a8d3d60de443da7ce64960c966dffa21

SHA1
e3f11cd0d5fbe9ebf654a12fc4e1b4239ea35e27

SHA256
5bac6b79db40ecdc07611e100204d8da711107e0eb1ac21c5eb033b8a7577587

SHA512
d884ebf57ac5afe3c23b846e8284519dedf568cbbb51e6a1349a09c23238aa8cccad5139871cd0d0f325927c81ffe4dc9a81d7a1bf331ffe92edf2ff51eea3ba

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
61884688e5fb80fae1b600b4a3c884f7

SHA1
56f9e6e2ad0a7454a5eb511535e268d63b1feb0c

SHA256
679226f63fbe7653f4af5b628805fff6528d6bc86f336955a5a121de295220af

SHA512
e5e2e3ca1e16d845a15c94641133fc98569bc31732e928b36d73bb2a4b1f41ac41f0205f325688220ec4e1877cca629653c6749b57ebcd3ee0a81314710443bd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c06296fd5c33aba25c60a6ae6d062be6

SHA1
7a0345311c6b247bdff14edcab367d4f8ad3baa4

SHA256
411f6db387846069859c70fc1dd5eeaf7d00317ac49db1f622b2e11bf6efe15c

SHA512
3863ac8abc2dbdbb5c798f5b36d31c6452f4794c471d522536fb5a72723c1f67e4dc2616d81cdf2cdcdef082aa31ebfd189b7c421f51bced795193d226c0f629

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8763e3f78465f06ab5c801ea5c6ab5c4

SHA1
48fc113fe70509385f475eb40d91199de49e7838

SHA256
dcbf7d152356f93f8530b37d07a7b586944490c6ae87990c4286d994ac5336cb

SHA512
0171e911369c7f654e0df5a221b7df63ade11911b2795fc698f1dff1854417fa411a863c60829bd068dc6fad69a265885d2a8f23606d6c9f1b73444c76febfc2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
f5fa1a3ff2f959a6c41d7daf77fd7da1

SHA1
6246667a0d085b24d4b5b65aa22bcfe6dab85c7f

SHA256
e8876704b771167cc1845db199b540810579fdfa3f9ad346b85d3c2f5351e71b

SHA512
0f512138b9cdb0984e03cb2a627ea1fb22646573ad3996fa5f8e81d8cab4dfb1466dec89b31e5edb9dc57183b887a09f0a4848fcdc433479aa50539a7fde7189

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
eeff84d82fb6b2789d6b59ddd1820755

SHA1
31ad521799180bf544beb2e8e2e63bd24b5fd6d2

SHA256
82a064be76c8dddb8c027daeb646137292c69d18d698bc99daa2488bcb0b180d

SHA512
1f08771bc89cf4ee5cb4b0f4187c35f343b02892de4d493d97ee9e313903a7c8c988fef9c3044a6b39eda50373a85e813e5eed03f2ce06afcbfa1e9d92d32ef7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
9ba84afac6db58341c69d549c7d3c421

SHA1
0f786fbe4455a952b06a743af87a7a2331221eb6

SHA256
17b50fe85cd5fcfd782b9dce20e062e0876b58e0be9e7eed3757695deb600121

SHA512
194ef0c3aa5a613571b9f84878ac2fb426a89d24a3a418d7bafd0068f4789ff8801b7b6fda0d158a0b64e0ab13253fd8c04257e2b6bdc6e2c62dca9c2f80c337

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
78d450e469fe6a7cd7a728819a4bb03d

SHA1
b3eb19b19525a50620da0cdc4ae2dd11e88b9ee9

SHA256
44ca9c8c7ca5a194b8c122ef0c62c25de7f829d9dc306a44e0ce3e38251feeec

SHA512
90017d3ebf01a9cfcde96fd82a72d9d70ad7a1af2569710c17f1ede74c4ebcfbd6982ad286c38f98c5c2bf79acbe2d4d3da3579361dfbff724aa94b1b8fb3750

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
55aa338ca01f4eccdf1f551ce2f6ac13

SHA1
2d1cd71b263fd3932d69e1ef49f4b40eaf5b93a6

SHA256
72cfe8f759ad640885f840bce869931289f16191b6397d349e650a40c9b99b20

SHA512
903611ca7867989b46c87979715ac61d032758d1bee253ceb25b82138f281d6d9fc9eb70b3e8e316f975dee9dcf87d79ffbe015dedd2e8172da69dea4bcdc855

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
03b9a9fa78400062f4b6c796a66a92e2

SHA1
68a35664c4a61f2777642b402961e26766301117

SHA256
efbb9992565827dd0463010828e3fcc0efa15e92e5e06639b69e356ad20abb93

SHA512
6ff345dedb2ea7a1efbc79940ac7ca18d28bf260374f4617a2b3547829538a3d9114935d6f7129e5948ddd95e51f218d4f771cea4af8223df316984b26996b06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
4294359e6a530b7cc4c982880f136e7c

SHA1
4b81b3f9621b6326a26c8dab2bb4a79ef8476b72

SHA256
c365b4a8188d7038971800cf4dd4fe2fbe0552485b55ec56e78a793492827b09

SHA512
0fd5ed076ffec3f40941abaa07b46c88e50ecc422826de20ee694d2382cbaf4d2959b562692226203138035fd4fc6f0e32784869247f778388cb0222d58b4aaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
671d2c66aa9744b0d51699fbc9aba8a3

SHA1
ea6956c66aa1c492eda4262019c008dc37f9d919

SHA256
f8420edf912affb207a0ccb1613d0b8b232570fe7d49bccbd0de93c6c9fda2e2

SHA512
6b661ff97fea595b5514b01a83bba9a7fb2591a00c9ca660c782c9aee64f057d6999c59e2c4312c24352986474d09a48aca4d1014aaaf60a0f1c3b6d4d09a8b8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
c7cd6321f3779bd95d8afd4bb2f328b0

SHA1
d197f64271204554387f8a2b74803c61a7d323e6

SHA256
94aa0c577ce37b81e2442332fe59101b7dc11293fd55c94257dc3afbd6586cda

SHA512
55adf26d00e32ea5dd1d82e5e33982dfa861023055b076544973374289856cece8d823369683e41f8b56d5d060b73971586a4999275827a6a8004a12bcd11520

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
93bc6ace9d18ba30c1ec4786df1daa46

SHA1
8244ed46f80c929341bb26c1893e93d8b5f5dbed

SHA256
2b8e526738e7131bd45d631697e2e19f69925702d699d56c8133f9c225356319

SHA512
4aa1f1fa21e3b60cc9136e2161623dcdc329235f9e8b30b1cba6294be8cc837ccf6cac3d3599c47d62dbc64692f4caa8bf036efff006a301a99574d63137db3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
273c3f63d48557f5b3cc61a76497acd4

SHA1
a3514e6fb56c5153e051010af610151e487003bd

SHA256
3623b60ef9315eb871feaeb61d6061ee8f70216e889fe29044dfd276a314d219

SHA512
3a6abfa5cd148459c4abae97223e1b6f9a9d3648cf20dda7747948791850095ea9c869d3a1f1aa31e7fcb0a7b92d0d451469699ce6c80dbeefaf251a71383064

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
aeb9478754cab9b8dc3289dc7a3b6d43

SHA1
f2196c5bb3339b38509adbac4c7a10be7f3e8200

SHA256
b934f3ed8f9342c213ff9b32be94e3d68ed710b0c2cd0187396ec3b978b65a7c

SHA512
89a71eabb5dacde747750d475704c50dc8f7b17c84972c1ff42a33d33f002510c418b1158942849a9e78485a6ba4c94c4fcd72e4ca4e5820f09ced112bcd08a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
4c583e40c6e0a35fd2f9925b05ac957a

SHA1
edd5d3030c379e4b336385ec9afa154c6219a374

SHA256
33ce9e1c3c181895e8aacad081ad770567107400e6dccdee3a1038089454c1ba

SHA512
f4c0fe89773b44aa2e72eeae6f5075b043d4595d662e6fe0eed37155eabeea016fd5c216a686f2bcebe849ada57643f483fa1c0f9252ef0fcf89fc91f6653ec7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
5f9fc23e48fcdda01571bc51856c374b

SHA1
a5e0d06ee425c52e4f3cc687121ae41279ad29f3

SHA256
9d7dd9089ebfe28b7dbddc83a3acbf2dfffa7e62f0a7456dc83d3303b607defe

SHA512
97fc1d2d648a3a13bd765352482a17d4ff9330d85d4281019e1ace67e3583160563d40cb27cd770c4da70316e7b67fc3d9c70f3de83e4288099ee17a881a989f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
54694a537a36dfbeecfeed706fdb5996

SHA1
a84d35452516382e4ef7b47f71115c7c20af31bb

SHA256
8792ec3f385ad08fb6b70b7ba5ee199e9b56f51bebd9a3ee675fba39fc5a8b09

SHA512
ca3178cc1b3863a66ad17bea2f0b45afdc82a78d06a7b65e54eadbf136ade2d92db6acd79a6ebc7008a2594253715c64bed288f338c5101d08e1f08bb65a0bfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
79c2cddd0b7a102bfbed14ceed671ec5

SHA1
7c2a71038efd071308c189070dca9dfcbd8df293

SHA256
960b827e498d82017689aa9a4dc99cb522e1997e8ce25d5d38032568403384dc

SHA512
b9472477c5b98772e6688c74f32ea653fa47a9fdc827e19c3f5a2caa804ce8116cf2a85e801f898279f9fa91b692eafac5b289e83c0406ddefed71f2df098113

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
3abd45725ebc40668306da3f2f1503cf

SHA1
c1b9a122803ef25e3d12699b27d0af5d3b6a54d3

SHA256
d2d57ec657833182aa8f3592f855f09bb83ef1dc9b2fcf5d4c28fc4e06ee47a3

SHA512
e69d54dbcd3b3bff629b5ec03ffa27a7be53ecabfdced8a826310e629af429dc0d412089ace4692f8cf03ebe8c26ef500b7cb4947903948627a0e638b61aeccd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
8135cca4b35194e10287b8d18b97ae0c

SHA1
9c9a9485476ad7606f9cc6510b18c3cd1df522b2

SHA256
fe78c77e4df9f9f3ab886d34a0e706862dedff69ace35aaf9157a38f8969ded7

SHA512
a0b0fbe659c26874ea72eb33c3b12ee8355344022fd97d171c916c9b383f2a2bf232df18effb4b240918ef522fe7e5be0e9e65aaaa78964382ffd8a429db1b3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
3d12923e4bf895347a0d321b7f5922b6

SHA1
148ce91e9e737a258e88cac48db36796b49cc42e

SHA256
daebe09181c1b3de9a96b1c08bfd9350c12c5e5ff3e7929a2f51b03650d2a1ff

SHA512
f8608dfbea0d0d9de6a660d4fc1e4e233d70098113072505731b79a878d70890c07e8c69e33d893d9748296c8723e2f8127511281423445eb995161b50c7abb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.4MB

MD5
6bdfc21287fc4360eae4bec874296af9

SHA1
61de65de907fa6b1389b7e242f948176c8f35960

SHA256
b40a21abe65a22b30f12df664aa98cdbf3afa677252b0ee6459a15357104b652

SHA512
89cd10b50c5569e2d3ac430b945ffbd06d5b219e8c91abcbe37fe16f1e031e36da91a0acf14987332c92302015f71460f85f7036c819b1c41f6026a922daaa2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.4MB

MD5
f6ba1f14b48d2fd54b7c899841db4ea0

SHA1
b5f90a3f02f246d42daf9fd14f36c2dcc270427a

SHA256
15a5817c2e94547a10907e8053afcf63a847aaa035dde711ffbb0f5137f3ffca

SHA512
a407cd50ed03222c8483434f3f26dee253f019b95b584fd997023e1bf40ac212ceab476f94c7d9e013923aff8d744f1ef79fbba7290b436f0207e72af857f0ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.4MB

MD5
568f95f4e581e3fe213c5d51778fec98

SHA1
24d0db483620fa83f8d89debdac5c299e114282f

SHA256
674012b291e964a42062695f4f5955fe6129cf948e7ffae5c23a98afd8b26acf

SHA512
d85eac3724f62c4b35c57c6231b166c35c9e597b3d43308961b0afd97489d0a29c6d5a3088ebd3659a394767529eba1a729b1ef93221fb82673eef20ff761415

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
4a086314a8d094146fe8d732ecfa3c8a

SHA1
58d0f30a9cb8e00eac0608c31a78ec9988cfd4d9

SHA256
68ad44b02c6063d1ddf3de21f1e76eeca32d300b195616223dce32b55f7c772b

SHA512
dc9445d131c78672561d1fcf7ca2a0f49ae9fa3d3802f854341d5ebfef14c7e417e17fae36d10773b4d4a1d5b882adc020cd51c7719203524b6ab07b949e26a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\autDD7F.tmp

Filesize
280KB

MD5
315813474e1b47eb1808c4e6ebffa47d

SHA1
47b26ba2910189e05c4b979098e2ad4d31ea271e

SHA256
5e87169df14118f1f5224c8697dd5be04ed63cbf4f7cfe9be6045b1b98525ebb

SHA512
4a31cca0cddaf4f9e8d689bdaeea16d2490791f5a5af09a668fc007035319b974f08b79c302e6ddf04bc15a800d06bb42352673d0fca7e1cf906607eb3f35287

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
85173703368a625970c8a70a95d3aa0f

SHA1
e3c229c02712557c7aa4e5ba0eda8a62354e9d40

SHA256
f67a01e54616b3ae7a8e71c583d5499197b261a8d4a8540b7a157ad7799882d9

SHA512
b553e945de78b918507f80f1044e27ef633fd50d62b6c831f216edb1192675eb49689325ded0dae9342476dad977c7b20ba4a3beba8eab550146d299ca611c0f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
622c8ecc41d7adae97a7ef88909701a7

SHA1
ff4474bb57525e79c0d751449a4c4c1c670bf846

SHA256
374ffda79a3df56f0455667bdec51b648c9c4de49f2ab27250e143ce247adbd5

SHA512
e3aa39f5099f08c7fbc5074709d4ad2740cb33ca321e2e6dbb44c8cdf961ed7c26cca89cf50aa394ee68284d67e92bf660912ac2a9ccaa9b6a3631de4a3361ea

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a1f2a15b43cd19f1c26a1a75469b0778

SHA1
2983905c6dd8b40a9cc96da9dde94d16a63ff0d4

SHA256
6012006c2a17320fef98015e0cce264e33b6d8b8627df1c32f46809b525d6c9e

SHA512
abdddbd2e14e2e88e90fce9415d82616d7ce4aee51a898cb39deedb51ddeea0942c5aa6381c386715acec2cfe4ad3732b808339985d02453172d7af7e63df93a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
eff7125a6e91b9b6e2fc6f7d3bc9c93b

SHA1
e2ab543a414bf8ac55cced4f1cf0797cbb5a4b16

SHA256
7e5d5697c7d279426ff69d0cdd4c1fa1a4d5a06857ec415414f8e3b13f58ddee

SHA512
b516345c51b897fde52fa0213b883a3d3e25b602dbdd8b1f30730a9adac54de3e6a1120e2aedd6942ac26006bab6e0167af3edb398bd83c71d018c0426500493

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d9b70c5292be5fe4f5419156a54bd61d

SHA1
bfe856bee9e4e1e764d4a3abb64230813e26ccfc

SHA256
b8b1911733ae0e254e233bf1df2266fe1bf6643b03f8d123079eddf3c257a86d

SHA512
8fdf7526686a276f48308d8eb7463d0868c2e1eed14febf6987173876a6b719d9d4a552473260d77b3f1283033f0f72f43030a66b67b88e62b114c6b8bb332bb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
f3a09acded6d1b05595eb31648194e43

SHA1
973a370aff5f2036f58ec6cb86794a3a4d943263

SHA256
7ddaf4d15254d64db1d6f8962d743271a2b22c30e189f7af6335efb1806837db

SHA512
98d1b3d5c24631ab48269ba839fe5d916b58b8eeb55c421751ccd3679efffa84f415406e638b013fc23375c720598ab1983e4c4c350708a3e9c5c19b1ca80c26

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6c44fb47aac4d289b3a71fdc35c604d8

SHA1
2404eb30d55f625e2744d40f878873ed127e625f

SHA256
0d82de5ef0adfc34dbbcd03382c8365e3ee6839d7e068a6124b83bcc408eaf2c

SHA512
d382b0c6fb31612a870669959e4646df9d652aae42aadfc6da0eca0c835747504ceece2b2a69d0f9f476b1e13228c954ec157f15ed4ee1cc7213bd0a3c157eb3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0c3d8b7704ef87cb01813bdfb6004567

SHA1
0c9a89a8dcd5b22494cfbda7a4ac602fc893d1a9

SHA256
1509d1a44f619de57ef64a50fb150c433445f841d83d61fc5fa64c4ac4eda147

SHA512
bc7eeb594648476e0c60648eb22ebdc6acaeaa3d3ba895df0e725cd44b10fa24f4b9f8abf1a35ccc994f8809763637c3c74ae0498363cdeca21a0557668b9236

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
73b2fd4eefd3ee8f507ca0b99646189c

SHA1
05145ac9b481a1dce94ad3b75cfefde19cf420ba

SHA256
29dcb3faf4811d3e1ac191c67b34db2e71676cc9c7a1470f4564a4fde1a1ed9d

SHA512
ebd9d0d7e040f6deecdcb42e6dcce8983aa4b15902a1d69690f704f13f581855e2e4f71eca2145e1a40d3ba93e40e3ebcba7aca994119649853a9d3213484cc0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9654740374448afa3c01c04e01606f1e

SHA1
f8bce9d9d5eaef100a55393a1a324cddcb53633c

SHA256
7f1f088536630c720d0de0675e3420144fa850e4b72ebbbd87cc22f5e21fdbd6

SHA512
5748476afb9842a666b87c6b98ca7cfa3e4c890f7ccac61f5b94d0a3d70556d092fe7a8d3153d5bbea38afe3cdbeff8c6d262b80da5b614b8d800a1eab308621

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
1cefca8402a57b07ffc4c2861e5d32c8

SHA1
aa7a2acd7ac0c5bd6a57b55dfe44b97d308b3c71

SHA256
4fb9d04abef5fd8e281a5fff77ec1c843f5602687f0bba1b14b703005a4f8005

SHA512
ad889a64ecaae7e7b2675daea353a596c12acdcb2790d78c3759674d86fcc83228307e3e1599545c602742d3c92ad5d37b8c8a6163950ded910f05adbbb89607

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2c3cf2da9a1f2e624f54d7bf4c6e55c8

SHA1
40261a112d3798bbb997380bb01020a241d183c8

SHA256
28b11a9fd8b04484989617956fc803fe7786ad443da32e157022dee2a67005ee

SHA512
2463a50cfadd20c4783b2aaea777ab298e950ee0d35f62d89e463ca051582cac2bccc5e7a5daac4b1a46f3f1192e7a26264ef490cb12e333a6d93c87016fd55e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
84c86b2e5476bd911ea5e48c27c70ff5

SHA1
1177790872e6cb244fd3658412215e9b6328869a

SHA256
beeb2f15f3f75f7906ee581a341b0292884c220c7a6ee10c39255b1052ab5f3b

SHA512
057cc31860b5963de6924342ba97a0c4f4451035dc145d99b6d22aa6b104b5d86a0282e89382a4038547ecc0792833ce9789cbc47cc1558761cfa0f4fa943090

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
c429595b07dc20b81d7f198df1d7b25c

SHA1
eff2ce8a70c3bc2d9d91268ac678d1e3b874f43a

SHA256
ef69a7d03fb6c77339fd7079034e49a9ed530d3932b371862954334223bf855e

SHA512
c02913892a82e3d1283d9b55344042c659e8167283a16ab294fb30f64362cfc0776410dd40bf384495a0d2e788632ba9980087224033367984d3910a66104dfb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
7121d0018f50e23c174b204953e70e3b

SHA1
1aa1247fd2c0b8c6a8e665813631d99153489ae1

SHA256
0cb779ff3f465c0084c3e52bb5f37d8f99d61c958898be107253f2d5a0c376e7

SHA512
cf2401703b1ddb9c30c9eb43d58ea3378c0a24410e44258aa36d73158b148b0cfc1185c86c96bcf3e05547ac3276163c8635920d4cafb4b1ddd9edc65d181be8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df599affeb4d31a2a1d4e41cf2c4f649

SHA1
64d53c2463da4a6881f747cc32c2f5bcd1962809

SHA256
5944188c2b8bf75633df352ce792f0658ce46361c74cf340f69342333956eb81

SHA512
36ac5cfc5be5de29626b30d3e6a73e8cb85921b88f2b4fd2849fbd7f06fb9ae13f3ed131dc8a8dbad9cddb22530036786f3ef2d606e343bb04e3cfa80e982475

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4cf86fede94387e2e2230180b1571357

SHA1
b4cdc7408732d1354952f132bafeb5e23d32d0f6

SHA256
7ed1bb369f8892d15112c80bb3df2c8ea28e313a141946abc2e3bba0df9af57e

SHA512
7197f1c8d000bb25a3f6af353ab45d3590bcc7945c4b41b32b458567294e4a9ce5fa319d2987f9716b79ff95e748983a3212cabef5d7764b3c46a00cc014b85d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
256c9d27e155180eab370d452f140ae6

SHA1
8424c746c21d7af1ecbd0143b5bd25b3ce1f5416

SHA256
c3d1543668e5d7435202079acc651166302cb92e1d1a33c1bd0412abbf5afe85

SHA512
5864fbb704d14260936a472562c74e3a8b96599d0c68f0fc8b13b46ad8ce07acff54535e72433f2adb78c193d698cd1b6d439ec2e10c811c733dae8fa675606f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9d89ae308eb80e603071fa67eef2f132

SHA1
5268a62ef26aad11d7971de7695f709e8a81c7e7

SHA256
e114694f641ab2eb308acc159ca611f8c8c37f6977ba814c8fc2e208b8a8f97a

SHA512
990f9b4492b69962400ed2628a86fc250dce35996f35f832f3d59b74cd3787d1da102939d979605e66e930e377c3479bfdbb879af13913f0db32c05875b2f57e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
5497d41b291b0c7d752a3d0b9be86b59

SHA1
9f3b370762a52dd66ee1adccb8b2cb55383145f7

SHA256
71225126edc61e87a98f27115e4c86560479dd382078ee3b20fb8c50bbe04f5a

SHA512
72f80dcdba9f5fd9175d66c25f3d9f6720fb4c8ac3855c5e64e36a07fc32a70114c7ebb12eedf2f035219041434c6b4645fc168e01e0a1add085eab96a7a11fd

Download Submit
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
45d9caa99dfdbd366a664661aeef8aff

SHA1
02be69889ca2346e753dfafc25395b0f1146b72a

SHA256
3897fb55357819e388a2bb7ee26e7a383e7f2a2b3b79f041977b219bd97bac0a

SHA512
d8d8786d110c27c238515e26850ba699d7e84e108947ac96d08c163d4843520fa2c2e8d88c4e77d0537ab12c67141137800b650c6fe2e9f5f52e58e2e10e7e9a

Download Submit
memory/32-24-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/32-89-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/228-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/228-562-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/368-334-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/368-284-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/368-279-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/368-278-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/540-554-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/540-291-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/540-343-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/932-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/932-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1308-331-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1308-556-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1460-561-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1460-339-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1568-70-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1568-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1568-79-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1568-81-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1568-83-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1620-471-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1620-321-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1920-55-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1920-262-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1920-256-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2044-325-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2364-298-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2364-421-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2364-299-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2452-52-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2452-46-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2452-54-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2452-255-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2624-258-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2624-86-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3272-30-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3272-38-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3272-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3272-219-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4092-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4092-257-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4092-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4092-59-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4140-330-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4140-267-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4140-268-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4140-274-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4256-338-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4256-288-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4260-422-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4260-318-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4424-327-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4424-555-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4668-335-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4668-557-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5016-416-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5016-295-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/5084-78-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/5084-0-0x0000000000400000-0x00000000005F8000-memory.dmp

Filesize
2.0MB

Download
memory/5084-91-0x0000000000BD0000-0x0000000000FD0000-memory.dmp

Filesize
4.0MB

Download
memory/5084-27-0x0000000000BD0000-0x0000000000FD0000-memory.dmp

Filesize
4.0MB

Download
memory/5084-1-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/5084-8-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download