9908f44de0b732bb4a8eef3e668f7869262f2817eb52c8f99c2b8a3cc9880fac

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
24/03/2025, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

1.1MB
MD5

9e894f9f5fb995c45c026405c38cbbfe
SHA1

43814153b994f5fa0f0436f7acde3a4a8767ad7c
SHA256

9908f44de0b732bb4a8eef3e668f7869262f2817eb52c8f99c2b8a3cc9880fac
SHA512

b8b66da6a85449e4e98c10781fef5b97b672e8543ebe4b1e0873056bf08c4ddfda166b8cf6e93485936a9177516c5d58d0f1d551d941dc41f277ccdb985bf57b
SSDEEP

24576:wQ818EiYTmp7kHizJyhZApJXNkNSvnTVUuJLinlyK5AFiogOj0SC3b:8Tmp7p6yd1vnteFL80Pb

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
5204	svchost.exe

Executes dropped EXE 22 IoCs

pid	Process
2960	alg.exe
1448	DiagnosticsHub.StandardCollector.Service.exe
5488	fxssvc.exe
5936	elevation_service.exe
1328	elevation_service.exe
3664	maintenanceservice.exe
968	msdtc.exe
5104	OSE.EXE
5572	PerceptionSimulationService.exe
5680	perfhost.exe
5864	locator.exe
1540	SensorDataService.exe
3192	snmptrap.exe
540	spectrum.exe
1252	ssh-agent.exe
3860	TieringEngineService.exe
3476	AgentService.exe
1284	vds.exe
3460	vssvc.exe
4040	wbengine.exe
5924	WmiApSrv.exe
1776	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{6489E187-B6B6-4E2A-4280-9B07272DD201} = "c:\\programdata\\{F899C9B7-9E86-D23A-4280-9B07272DD201}\\55261928.exe"	svchost.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	1.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1.exe
File opened for modification	C:\Windows\system32\locator.exe	1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\23c767b5163578df.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1.exe
File opened for modification	C:\Windows\System32\vds.exe	1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 6000 set thread context of 5284	6000	1.exe	115

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\disabledupdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77156\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abb25e4cdc9cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c08a764cdc9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081618e4cdc9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f032f4cdc9cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077d8844cdc9cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\CLSID\{A2BCEE4A-B97B-881F-4280-9B07272DD201}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\CLSID\{F899C9B4-9E85-D23A-4280-9B07272DD201}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000_Classes\CLSID\{F899C9B4-9E85-D23A-4280-9B07272DD201}\ = "1742834787"	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5284	1.exe
5284	1.exe
5204	svchost.exe
5204	svchost.exe
5204	svchost.exe
5204	svchost.exe
1448	DiagnosticsHub.StandardCollector.Service.exe
1448	DiagnosticsHub.StandardCollector.Service.exe
1448	DiagnosticsHub.StandardCollector.Service.exe
1448	DiagnosticsHub.StandardCollector.Service.exe
1448	DiagnosticsHub.StandardCollector.Service.exe
1448	DiagnosticsHub.StandardCollector.Service.exe
1448	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5284	1.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	6000	1.exe
Token: SeAuditPrivilege	5488	fxssvc.exe
Token: SeRestorePrivilege	3860	TieringEngineService.exe
Token: SeManageVolumePrivilege	3860	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3476	AgentService.exe
Token: SeBackupPrivilege	3460	vssvc.exe
Token: SeRestorePrivilege	3460	vssvc.exe
Token: SeAuditPrivilege	3460	vssvc.exe
Token: SeBackupPrivilege	4040	wbengine.exe
Token: SeRestorePrivilege	4040	wbengine.exe
Token: SeSecurityPrivilege	4040	wbengine.exe
Token: 33	1776	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1776	SearchIndexer.exe
Token: SeDebugPrivilege	2960	alg.exe
Token: SeDebugPrivilege	2960	alg.exe
Token: SeDebugPrivilege	2960	alg.exe
Token: SeDebugPrivilege	1448	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 6000 wrote to memory of 5284	6000	1.exe	115
PID 5284 wrote to memory of 5204	5284	1.exe	117
PID 5284 wrote to memory of 5204	5284	1.exe	117
PID 5284 wrote to memory of 5204	5284	1.exe	117
PID 5284 wrote to memory of 5204	5284	1.exe	117
PID 5204 wrote to memory of 6000	5204	svchost.exe	86
PID 5204 wrote to memory of 6000	5204	svchost.exe	86
PID 5204 wrote to memory of 5756	5204	svchost.exe	121
PID 5204 wrote to memory of 5756	5204	svchost.exe	121
PID 5204 wrote to memory of 5756	5204	svchost.exe	121
PID 5204 wrote to memory of 5756	5204	svchost.exe	121
PID 5204 wrote to memory of 5756	5204	svchost.exe	121
PID 1776 wrote to memory of 6008	1776	SearchIndexer.exe	123
PID 1776 wrote to memory of 6008	1776	SearchIndexer.exe	123
PID 1776 wrote to memory of 5376	1776	SearchIndexer.exe	124
PID 1776 wrote to memory of 5376	1776	SearchIndexer.exe	124

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6000
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5284
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\system32\svchost.exe"
    3⤵
    - Deletes itself
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5204
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5756

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4476

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5488

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5936

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1328

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:968

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5572

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5680

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5864

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:540

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4520

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe

Filesize
2.3MB

MD5
dc89eb59a2762a889968b1712bf1148c

SHA1
fa21b010f47d25c2ca9cbda5486d53ccdc0f8d40

SHA256
f3b0659abbddc2ec85117c170b0ee31d992f7cf0c6a759ddde372b5fe6c724aa

SHA512
812597745434fc9211aa9eabe13b22d166cc85f8718b9aa78d6f2feb959030bd0ff4d9afd112bd4d8154d28580b1f99bc137bf64dcffd50c323b4c0f7e43bc94

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
77c30343bfb3717e117eabb2cea0ee45

SHA1
17ecf6d5e4619ef5f1932f7903ac323217d6c65d

SHA256
fcfa648d713fad51370211485942c02a1d8678507e849c5639fa90b8fee42354

SHA512
c3a8678f06dad0050028a4bd258f9e854afeaff62ad248685535ec7e6bb6dc10b26122a60145c6dd175e249e676d853a4eb5520effc8c2368e5404db4cc5c3a7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
bb4b1c12648332948319539f06550a61

SHA1
cc5dec88189dea10aac35da30fee50bd03755362

SHA256
3753178f332d3015bed310323ab649c6f0811c71bcdb4849475cfbdd8e355dcb

SHA512
b1a98f7ac4c139bcfee27c6d3dd29c099ecf011d08ba69b092084967de94a902a65df84cada257973885bbaa70c9bf13b257b06b201f478765379ce73822cbbb

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6e6ad924a4dc39949a9a42a4afa6792d

SHA1
c1cc08ba5fe59f117fa99caac281dbbe19970e15

SHA256
fca6793c88d6235f5d51d3dbd0c111e75bad2fca84d46bb71f999fe404d6baa8

SHA512
be147fab7dff49cf51d6f9abdf8842f4087f478dcfb55afc9522401c2d3776279fa85763a1d2657ce332dffd3409913e2e92f95ef10c41abc9b698c11d3b9990

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3b91d935e1a9dd1508575204671a2213

SHA1
2adf899f770024232d3578245ee48ba03812bed6

SHA256
56f75eeb84c5af290b52199871fad4d4a179c46152cf34b1e2d4e528d8acbb06

SHA512
c4d7dc6d48208678b364f5d36152fc3cc382a6495d2336b3712ae37132462d41c29bf427892468eea784ce24721586090c533c1d07945573749012e8ed362b79

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
021a1ebb5c7e9df63bedb011ead86464

SHA1
30c05661b521e74f17c4f86c3dc207a464d75eca

SHA256
2e456d6ecf5f6b2e5ffff53011a77f975da5e580e4b9833ad26c6216c4bafb7d

SHA512
7adb40f531d572f4a165b63c8680ce8e791957c85832d82315216b883d7662e8dc392b99e9621dd1b70de1559776a47bcf8a448926a7af97d84f709d1ee528ef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
f1e0250ede94bafd728d03183028534a

SHA1
a2c9ffa52a61289ee1f90efd94eff376691fe0d1

SHA256
c26ad229c3b00e289de0175e933f384ae343fd407ac2c7915a206eb3ba783654

SHA512
3416d4da9478d74656721c0928265af5c17f57c9ab7a94b5a9c60330a4007c022d63fcb336721a27f7d31598290ef16736db883db92679b4c334b264888c8da5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
39ae9d113153b61a17a9e9fcb4b4dca7

SHA1
5cf25e4bb4207325b8b8d75c427a9d0b4290a503

SHA256
1a2fe37b155d40a77367973e51dfe4ec995b7a0c3d5ffb866c5c95a596f44189

SHA512
c143d5a03eb0e7e7e5644ec844abcc68ce519da1bb99ecd49582e32f157b302d049e0eb0e0aebb19f29de7fc4f62464d313311167dd4ef3b03dda1cdba3084a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6efe65bb7e2d1ca13bc86b423f2f30e5

SHA1
3487ae2bc4be2142d728095eec31d47d84ec2f1a

SHA256
965e2096602ed262240358429d66dad4aee9acda228d99333c826fc857bc27e0

SHA512
b14c684c07652eaaaa522f2baa4f9deb481d1eba5faf9e5ac7c811355113285cbfc7d18cc45d742283c31450b74890dc1d6fa49d95ffef648999ddb886700d53

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5c10e0e2e08102c575234b8b82113e70

SHA1
68d9184e0ce045724303a2ae0b369b234c92e926

SHA256
ec7a98b2a08380905653fbc38414f8ec63d511f0b0ac85909a6e834ad36cbb51

SHA512
c6a33dc1a2fcbe5cd46dd3d0382f27419b9a285184ced5cc0da075e612c8e9f88183ff7bd1e36c4b5448d3b244f103638d785201c0ea3c2e44e8ce12ac360b56

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6ebc03e1a5f84487f7faf2b4ea7ad674

SHA1
790eb62844efd77646d52fec705bfe1c8cdbf272

SHA256
9bed08ea1727c14edc97232b666d772414c044935ea58a4c73b9df4d8e0dfe8a

SHA512
18784657482199a1ca1a8b54f2e8c87c8aa0827839abee63f07156140a0f464202d4daab615fa6a2c010a8b498a1766201befa4e755231e62d811fa4473eb42a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5e2d2c40f94c4ef8e1d032674b5ccd14

SHA1
f3ee89f3e7876c90a69de5a68fbbd2a42ac31dbd

SHA256
fbf31cb72b9c9a46bd364dcb87dd94df49091b616247733272c7002f9062d42e

SHA512
46ce7094303278568af34257dcd6d91f4caef7a949b334802fd1d11fd86035876d8aecd7637da87aac111a3413732fc661c083cb318a2a4e05c27217b77cbdaf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d8eb267448b2aa5ad1483b31a8c37a70

SHA1
972b3d8d2b2052c9030d8c46e4b9c886fecb05ce

SHA256
e4cb53f8ddb7566e24b2667cedf7fa65fc27706135f02b3595e88ec790ddd460

SHA512
7e996ee1c36fadd1709df00754c835f7df2f3eec873be2b40b8ba0c18b80b5a9319a8b998f5e57776119542cd764ed1bb2d4ab27f3c61bc12756df52c9d54be1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
610e899570548ca79af2791a5a219021

SHA1
e032eca5fff77e1735a07ed48d9c0b9798c046f3

SHA256
7858402c1c346003a1ec678bb8b3cbf3f307742c30cb07e75643a6f5e679b955

SHA512
fcbf3ff772d8991fb6ca43ce16f1f6db4435c0c2481bd1bbb905837c94b874933548af4bfc74767f6a11ac22ca6a32e2a5768a9adbdf4272771ae21edb2cc834

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\chrmstp.exe

Filesize
6.6MB

MD5
43131e69db1cb83983d9245f98def4e5

SHA1
cae19d3a24b50e1ae0b9d92e5c96f71d462277d8

SHA256
0163260aca50b458f50243b0ea506915278eda2afc26c2f3a6bb9e6f47b1841b

SHA512
4293229907b0f37d95cfbd3e9730496d9a5bd89a0a86d69d875326d8d08268cb6aacc1c735b3b63741a80da46ade535b86c4c7996a7118627ee9b00c712457d3

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

Filesize
6.6MB

MD5
85d00e3bcff1c569075256e242dc9656

SHA1
2de59da15a66fe8d6e112f8bfb644c4c9fcdba8e

SHA256
3968bb9dc98218f0bb45a4b23cbcb125ed05e0848f43a9ea3c7a6ce527705b82

SHA512
ccdfdb400daee145e2739467a22d952995df9a5b774dc1c2da5fcfe635522e8eadab277d40d0e9a4872568f933c434fa1bca22393bc364e5ab13edc7521075e6

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
94da6975abf3b1e6127e85d4889460e4

SHA1
a186e7f043443ddc8d06e018a8240222d6109914

SHA256
2eee86cbcee3ffd7f1dc726d0d734eea5bbea61a371f146ca1a7d999de8ae610

SHA512
c6b0609c808233893e47c572f6d8ddd8dc28ef765d005fab9987260c8f2e373f3fc6c3ebcaba9d1f3d8789b5bc1f1d3d1904f930e96aae4d5c7112ff721748d2

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe

Filesize
3.3MB

MD5
3f10c7c76337ef76464ff8fa07830875

SHA1
3751d518bf28d7c5200b947698af9e4b7c0ae109

SHA256
9580931caa88d62afa8f9660b2077dc274c1073a8d863140a82e0d5174238ed3

SHA512
8679dcd9805ce18e0ce539af944dc8e0b12ce58ce2b4503ea99f7eb27b9c5e3d0bc6b02e0e945cbd8015d6f9d49a427e04b272a75f82784c9301f5f31d439f2e

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe

Filesize
2.3MB

MD5
f08114de1baef6d0094b2d51990a8fac

SHA1
27da62926900fdbd3ae335e9574db7abb67bb9b7

SHA256
70236c577eb078f5a7a0ca2866298f0517db7b9fcff057a7069a50c6545a46c6

SHA512
063ebffc2147c94662db8c4d74063bd93eb7c0c66e06e7f1c81f84c9344220169f1d18bbab11e75287d7c5466bd440a4192e10a28679efcd12626e92a4fed339

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\notification_helper.exe

Filesize
1.9MB

MD5
4ff9aac073b1715f0a3b28d0be0f6d11

SHA1
fc39d6dfbc5b0cbadb5d2a95151a3deef1850431

SHA256
10390dd9ce9fe1198e057e93b3d28214e166b15a90851fb942be53574fbd7258

SHA512
8442a1b2b93f60f46fd16567cd5d074e9ab760c8c2ceded10e2a38acdbdf834b78164d2b2c162fe419022c7ebafccf0a3cec0a6e90337de9e7c151e9dc3a5e24

Download Submit
C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe

Filesize
2.1MB

MD5
dac7f0296f9f7394be899d67ec08a38e

SHA1
ee99c1c5369aeea526266eebc7e2d62cd58256b0

SHA256
9b1233cb57d7e8469af0d29ba309936625b72be0890e68abb1c76dda6c3bcaee

SHA512
f429a449ab30ad6caac2e8606d0b9ce18dca1964cc9fd92c24797aa69fe492fc864c2b9f38c3e4d90095853fac415267360307051d97ec25d113f6f9427db6ec

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
71e815f344b8b02fcde6918ed916d997

SHA1
4e878b602179f55719a8c0b888d4f8e9ae108450

SHA256
f32c12fcec55f92450baf19d1e6575e5a3b7ca99f676a8c62614206a7c4748e8

SHA512
c63199da8440db7bd445ea31f07efeabfbec390a9be97d05a12e673210d548629d313f5a15bf6e652c4ddf952e08274cad510079397327550b09349c2d675196

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
2965de46db6945eb62afe4a2df08e394

SHA1
aaad71bc8dc5dba44809195ab64bf4625d6eb2aa

SHA256
2986ffce8c0ad97a484ac7672b058212a575b37178336e414b93b7cecc6c8bfd

SHA512
cd9204c9c355afdb9069cd1a9be144f5f531955f160794234dd927703d76d72e6ec889a0c31195d3ad377cf5790046ac6b2b8d41e8fd6c77909ea120d9418c85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
116f923b064de732531a44707316ec31

SHA1
88aeaef4b0eb8808d76b0b9e95c0d93b248aea02

SHA256
8f59d44c2c5237173fbb56e4968caf6bf92f5ce7e00519d558c3e023e93b73f4

SHA512
f8cb79ffb11acf9809170be1790dd80a37bf2edad0f7e0b14d430034f89671b5798f81a766e6cf7d01a49b2af230381d422fd3e78e596e173448000a56995851

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
d82a0d388f49c9ba723ab4ef8c370c39

SHA1
758245454ae524f985056e5118a3dd587fef8cb5

SHA256
d18960cbcba2e306438b83b27a691f28a6b3a9a73b3db023eac2fee529a44c19

SHA512
be10547aef71e2b170dd1309dc979d88f7f688d4fe1abf3886aa055e279b87536ebc1310e48ea244f0367868726cdfbc56b9aa22a79d773c3bcdcecba800a79f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
2a20da22017922330c454dcd5f4465ac

SHA1
7d7ba566f59fbd2f4b9a6a69db14e22ab21ca770

SHA256
49ff6c83f5b6783f18cf0232d028147e3472bda97343f1f5fad89b6d6143e6e8

SHA512
8fba9e9d4f5154ea400d5137b5d4c1a2cfbd2036140859d6d368727ecf2d960a6c1ab21b61d9cb2c224c4c6b9cbb1434afabd35c382863970ad94762585f031b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
cc621c0bbdb6620fef08f725ab379e0b

SHA1
e0edcff47da38dafa004ee5c62e6d50c0b97a9eb

SHA256
6b8186a1a07d8c180806af7a935e486697921f167b71d325f222fdfb3a8a335d

SHA512
edbdaa5b27fadc80fefaadc127b9b5c8c6a23d4394884d291a8c7c05686723a7d111054638302754a885728965dbb69e5387b8c91aa32dfd44531f98446d6d69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
13d5117ece947a6862660705e5756c39

SHA1
7317c344ce6b6bb742e1b8a07314488ed1711aa8

SHA256
3e4a1018b1b802cd26634fb8cb34a9794b82ce452f79ae4705a0306e61f7592d

SHA512
44d4c99d16c07f46f167715087b5fd90c4dfb0dd8d40c20199f2b7a3bc5646c04ea8be277ba233f314e3c5fffb754a1decc08ba23f75a59db5c5acd00247a3dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
6a3a5a96913b26bce3ea064deba67803

SHA1
b629382229b3778f452dc6cb9bc3d4e809818c14

SHA256
34428e5009ee8a19f3139ef0184ce26263a91721329e2a6bc68487b27d798f30

SHA512
bb4fabf1ec09d457a058c28815bbe1010125b24877f375f599b5646e16ed55c98ad7045b2438275bc41a64e183aeba0c75e297a9e27795095c603aae849edb88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
60bed5bfaff91130fd5ef280bb22d1a4

SHA1
173d07b63b197485342631ea85cb0a65cb6b1aea

SHA256
a4113f895ef5b5f24f13e93b210a86a3e1a7852bb5018a249c26c0094372457b

SHA512
4df153d52bf751946c000cc8f6fb2024d402a62338c1b8d83fc17804b4138256e90e6cb289e2e90c090a1afad7bfbe9c7858d61fe566c785d80ac26da0b51ba8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
75ec48872bc889fe33d1c4a6389c7955

SHA1
17e3e7e90562a44807a11ab3a8ddcc4eb64f67e9

SHA256
e3dbbe1c56ad57a237e76550d037e455d94c5f2f91018b47df3bf63760d93dce

SHA512
983710e746851911fe4f6af96f8d0a4bd97ca6f16a06e563261e5d5b73caeced295903a9c358d997f15ff7d1bae73df3f399adb661402cdd745d01e77dd7b6ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
51d499a010e465de2cc375c717d1554f

SHA1
ce89f11f6b42a2b9022c1367c9a4db69655d92e2

SHA256
4670872ffd7bda0da3ef11d8594988f86d6a3ccfbcb750ffa179b901ae269bc0

SHA512
d3958df92a2d2c1ef2c543c2f1c6c984e46fa5a6e4de79ef1072d7330d5c0d8d05f7a71daba903d847e7fabca5f69d18dd33e320ef1a9d68baada76dfc6aa4c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
46ad9dafdff6bcdfa62d0ee010f1f63b

SHA1
fa258a0008c0f37ebe67c46762ee06fa08d7f3a5

SHA256
0d76ccf01526add37adb8b26faa0f4f4f775f8e05981bb965ab2f25fe909a2b7

SHA512
094abe91e41f97fc901bdf6312586de377b86b15b073e0c0f0ac655718bf9ea703856da38330d47b9dbc47493f7233b4ec44b1b3b34a99bf836def4ab5ec05f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
6d97ba971f2b224c09d07007e2a2de9d

SHA1
9898f776050ce523cf3d3aab765cb09934985f9c

SHA256
c9e1ef7cbefa1b9dabcc78a8cdcf66b73a9cfcf3f0fadbf57e9a5e614fec79ca

SHA512
9e9470bb20962743e2fae29db55588eb58321d8cd4a30109c6f908ca7dfa98ab99756f0302a1de95ddecf1d68ed0be94b5cbe7f2e771d223cba0d27774ae07d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
2cbdd6996f4628aa1825cffe1e9ce57c

SHA1
835c539353c416a25c43beca45477b514c704126

SHA256
e455cfce1a5bd30caecb32e432b01dd7b3354efe8abaa723776a1216d7a3f2b2

SHA512
7e44550d91536969b3edcf6f5083263934902ad2d99b7368642d0bd7b43f46e472d7021c010c7ba3e7b87a477a59a696197274a88f3c8723130027d348d3775e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
43be08f7df322bba69676c620cd15561

SHA1
d42deacc9bb73ff78bbe54aa13ab0082af7e8e0c

SHA256
bbec7e183277f57cb30addcc8080eefcacf7b12806335b90b2037c5a445a170a

SHA512
c85fa123d3c0099cfaa93190f65f29cb8a77f8abf70b7a4bcece619171d51b3a98b1edb3137a56159b981080a82a1c57f7331143354528f4bd5dba29c26ad925

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
80a2c7880238eca8fccc71db0189f3c8

SHA1
83e2beb7f533585c8a4844f603f2695689f33ee1

SHA256
dd35937a1c24908278f0ac4e313d7d95433bfc36302c92737fed3a6819c33ae8

SHA512
25794144ac8bae703a4fdb2cee7a2a7c656d4ad741077f9eb892a3deeb7b6b0c9f255c42bd7cb37448c4b41afd91a8cdf7aec2dbb5d3aa033bd28274f242ea1f

Download Submit
C:\ProgramData\{F899C9B7-9E86-D23A-4280-9B07272DD201}\55261928.exe

Filesize
1.1MB

MD5
9e894f9f5fb995c45c026405c38cbbfe

SHA1
43814153b994f5fa0f0436f7acde3a4a8767ad7c

SHA256
9908f44de0b732bb4a8eef3e668f7869262f2817eb52c8f99c2b8a3cc9880fac

SHA512
b8b66da6a85449e4e98c10781fef5b97b672e8543ebe4b1e0873056bf08c4ddfda166b8cf6e93485936a9177516c5d58d0f1d551d941dc41f277ccdb985bf57b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
23074cbdc2a8d72617cec3b91c96ada5

SHA1
daa710865b42a443067efd390ccbe018a4696f32

SHA256
4dadc98962c62c5c7827b5fbbcae9804d018cdeb7c0a1028d7bdf4e50834a989

SHA512
9176ed8f0f6b2695a9551c19e7128ea6e500a65811efd3d2f3efb95e786e3a89db0a693dcf9d56936a344fcb32030d4120f2c5c22b65a209e27b96fddb2ed9ab

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
181afb1835c55fe6843aa27d7f201a49

SHA1
35a7caed2705d34ba60dc5768c482db2d96f0168

SHA256
2157e44bfff8be91477332e676b73c83ddc0be8683c96531a277d276c81ca331

SHA512
569b9a16cb68b2150cb1bae576a5843af9241b650ee3b97836f774ef69ac32ed79d5aa74197999c6c0474f97b17f0dd7442d740fced1932a940f7234859aaef7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
a180281fce47639848f8315ca1742713

SHA1
59a40aa56d8f664462216aee2e6919f19d27bb7e

SHA256
b79fd1262690b0fb8883713bd9594ce723a657bdff6af2a391761f67dc8624a6

SHA512
4f8ab91bd356e447301891cd60047468be797f8fff638c6ce697b137e3855ae43744cd82543669ef677c00e3892f7df64aa25092d13d55df65ef2184ed7658fc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
435d85a9b8893e90b57c7225d668e967

SHA1
9cfe20bc54cc391747be09f12ff1f966066674df

SHA256
829f7662ec75cfa3365b7f9fd3eed0609d2cfc7c49b639566cb37144db50d730

SHA512
68bc9ef5a2e3a5b63e1fca810e157929e876dcee2a6abbbc06615c7a40129fadf9f624b0a3fa4b9b36c0271a846497f4081d0749e1c5617e214066dc296b15dd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fc8cf0fdbe4e88e721abf549e6e2905f

SHA1
87d45f8922bad453759c13d94056c58033041ac3

SHA256
7d32e3fc21ff42f238a9aa59df20be300db3ca267dbe89fe04a1e26c2e211faa

SHA512
504dbef56721584cf010bd1673206bd5320904998a0fc5b7d05cc3720fa51bc453cecbf185295acbc152dc2369cc971dadd39e8efa9b55a7c7b4d422ed6468fb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
81b3682dbd2d036534a4cd7cf488ae4e

SHA1
62bee6a90bfda3e74453fb4d7051de348d6996bd

SHA256
515d9984e8a1c5a004a5d3e293bd9979cb24ec088c4b7ef8b5149e225b1b621e

SHA512
db584c47cc3ef7ff1bcca76258fd67726d5e8b8a155d4f3c802312f2aa6d82f1956f42cca30fbd328f79d25679cad5da31f4756afd26b35d05c25d887ee82441

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
3edc07f9769b5a8873cc54f9b9507ebf

SHA1
2a1d3c248a358a4824ea480dd64c0d5f58a3ac57

SHA256
11be49e5a85dcf5a6fb8334ea08247361bf93917557210489eec1568182f6675

SHA512
e00078ffa67bf7f24580de171530ca96cdbd080119ce42c327cca2f697368374bb2af4ecda2a420ceda069f97000cb92bd655842a92abf2be790a1f64b8011c6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f0f252e7abcc04dca6d40ada2c2d339b

SHA1
b791cf58e14b20553e1438943b19eb99c3072cda

SHA256
169dffa49dc86fed9625cbf2094188b0fd1881c058dfae3c1f6cc39cbbc3d254

SHA512
09c53c99468e81f083025111e09445ebfe94f6417fd1c3d63148798eecd9d93185eef6460485595c4d83f4906cec92bdacaddfa4b2dee2d420f5050c9035e75e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
58a57f200428fd28ac744aed31e5beb9

SHA1
7ea6030ce0f9542749003ce2e7e483403d3f9224

SHA256
d546317ef4d225f6011d2c0e08ec261ab5409cafd3c1411179ac0ce3e8aeb50b

SHA512
2e64cf969383ec0f7563a0f49f4072ff5b7b4ec17f9894128fb7a35ed82902799df54d042dee71bbcd4d98770780c0bdb75f31ae037fccdbbe1b1a71585effaa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
68fcdbcec665a28fa6d8cbfb8975fed4

SHA1
8051116c9cf9fc422d3b0a4c783f9c7ad478c5de

SHA256
ef44b147e5f130eac727eee67bf8d8dca6c0963f38fd47a3ba185f241700e362

SHA512
089f0f63a31787b9f26df363f48028c94f6ce13b2d7c536fbf12d6849a196002e9befaf3ddbfd339a5a80c215b1c788a5145dfebffed3b7fd26a915d181aa9f2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b44b7f05ac61bfeb3dade9c6ff28486f

SHA1
27ba99482e099f87261911de42a87e76c5af88d6

SHA256
7cee0c3390e69acc4c6986252637d28518a4bcc604598983acd71ef34d1779fc

SHA512
84c0af4b1bb7289ab1c516d261ad57d705383537ce65265a6f7ecde52e528f11793c5fb11fc5adc914f753b5da9151309ab795b764515be14c5a6dbcddcff2ea

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
beafc0ee11e5693676cf8680d8e3b97d

SHA1
96cbf87bda29f041edc9fd3b22bdd7b63c6be22f

SHA256
e4f32e6a67d8ff1a2d766aa09dc31aecad92fc3b6b7ad3399803fdaa32dfd889

SHA512
00369d59af3d7bd3b43ac524731164d52e8b33234d0472614e2b9cdda37ec4cc8465b6e3e234fd7b2671f79de4e7489e04d708d22746f85b1863e7ca3c1a4b0e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
cc93c7fff5f381af643f6f91e94c4d98

SHA1
368245e4631894c72f20a2ab6e9da43bc8aba464

SHA256
8d1ec66adcaffa796f044823ff7cf0e1d7d2af1824517a1bc0f9fdedbcea02f8

SHA512
d87db269d9f1940ebbe59ff57e2e5a581c0482cf1be4ea085dd1906d011b9ef915f8c08edc6f3ffc959bc16e40d826195c65bf26530610bbbb275c54a224cd96

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
655ec0a5b35c4119c64e4be658bcd4c7

SHA1
02e07d52c9e288aac0594d9bd440cb695a4178ab

SHA256
2a4bae5840208e1db9c4d9e245aaa1e8bb37811e2b2dfab5b1c130a61b08085b

SHA512
0b69e4f29f6a32975bfecb7a88f6568d66d681c3c1974f3c7630ad12d2b37ab6b327060aa39f2dbab46bd179c3aa7fbcd9f6e6e5986d1c9def5871c9feb1cd71

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
4857cf948ff813ce09a8e428287ce1d3

SHA1
0403a645f60ee86c31324215c7ba8b61b5b9f55c

SHA256
5d454adc19f688108f719e239863c1f93fbefada28b58bf82689aae458ce0113

SHA512
8972360461de0b4c9fbdcaffa20b40dafc957b3d84485deca4e84d67c2e96814d32118bd5b6af57038cf87a5bf44098175d45a304a65939a819f64ecdabcec4d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e4ef47980cf4c7a8595d92647a434338

SHA1
ae34af40deda9da594de1297e5222bb4aa32f9f2

SHA256
3d2e7a6f6ce9cc2b1b2bc0798cae0accd626a21cdb0dcccf4ea0e2daa3e65c37

SHA512
3d91050b38634d10bd85216ee57f2aa73d7a122c40f86e88f6ee07d60d3c4dc73ec3acce0b6094d2881f276f89fbad0c65e2f3e71501ddea336f274b29586a63

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
caa50accde781ee6b831cae403de08f0

SHA1
cdf0ccf45d9c9d39719d589cc453ebb114c4533e

SHA256
856086b443ca0534f348a7b9170551d0d19beb6af6fcbae5c6c534feeb9b0f2e

SHA512
5762070f160d2657e3f1aca87758e613d75fd0bb331d1b6998780e306bd298926ba67ec6e5b2b0ad075618fccf6c260ce04f52d7f120acbab08353a6c8bbaaab

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8ae3fe9aef3af8687fb1df6a1cd2682b

SHA1
7c4dfa6c620a2987698cf70a73436c2a6fc8b919

SHA256
83c1b93cbb2bbfa64520e480b809bca8bc6d322e9ae83b6d02500901c4ccbb9e

SHA512
2a88c608ee9ba1315ac0db20c381db793455fa8d2046227936a8d3e6d17ff80e8425ea1103866625027b8a678dd47a2a8d273128598a50be0f97c8259dd55c9f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
00e50f0a1df745134b607f7bffbb7fc5

SHA1
3b1b0e1eda8716f48fddfdbe3f04c0711f1545ea

SHA256
beceb9299769b31b84a7036b239d868c5918f0bf8f93352f30a4750acf2301b0

SHA512
eb333dd9f175ed7ccf9ac744d62a78ce867f992426c2b4206b6106af6b56f5909c4933f763796b5124dade68b0a8e5a06fa985d922c82330eaa5aa80d86b0465

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
f992d123fd058c69418cc6c29c8fee44

SHA1
6764b72f30650a885016f8da98a8292194ceffd3

SHA256
70e835d62e656671ff47d737be9c26e7315e538f91da5272b97da3a9748d0484

SHA512
1f460a54b624f9084345dddeedbe70051b3234932f709dbc15aadbd447a14f2e55e5ec8add0932775546aaea36ef3ce324105997daca3f193146bcbec823354b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
178bb1799509d61c5cec8ccff9ca583f

SHA1
d1e4113a58a1fc9e13f02a308b324b335669f573

SHA256
f7366413dc020b2d432746d5d888f2feb9b99f222b9bac98e3e944715759eaaf

SHA512
c69c46d1d874c2bccde1fb0a5e86d2f19c0e92e01d71a7af0131cc34bc0ec68e6f192c9a6cc6b113ba37955c21396c6239deb4e8ef31087e982be778e6127602

Download Submit
memory/540-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/540-464-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/968-91-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/968-209-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/968-90-0x0000000140000000-0x0000000140197000-memory.dmp

Filesize
1.6MB

Download
memory/1252-481-0x0000000140000000-0x00000001401E0000-memory.dmp

Filesize
1.9MB

Download
memory/1252-187-0x0000000140000000-0x00000001401E0000-memory.dmp

Filesize
1.9MB

Download
memory/1284-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1284-547-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1328-71-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/1328-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1328-186-0x0000000140000000-0x0000000140266000-memory.dmp

Filesize
2.4MB

Download
memory/1328-63-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1448-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1448-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1448-26-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/1448-117-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/1448-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1540-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1540-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1540-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1776-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1776-586-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2960-12-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2960-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2960-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2960-112-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/3192-365-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/3192-170-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/3460-245-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3460-580-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3476-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3476-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3664-87-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/3664-85-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3664-75-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3664-81-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3664-83-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/3860-198-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3860-497-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4040-584-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4040-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5104-113-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5104-224-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/5488-45-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5488-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5488-48-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5488-39-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5488-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5572-126-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5572-244-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/5680-129-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/5680-248-0x0000000000400000-0x0000000000575000-memory.dmp

Filesize
1.5MB

Download
memory/5864-139-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/5864-261-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/5924-585-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/5924-270-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/5936-52-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5936-60-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/5936-58-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/5936-173-0x0000000140000000-0x000000014025F000-memory.dmp

Filesize
2.4MB

Download
memory/6000-74-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/6000-0-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/6000-300-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/6000-8-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/6000-2-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download