ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23/04/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
Size

1.8MB
MD5

2a7843da29ee14ccac393ab8f2449483
SHA1

731d531c76f490255deb8462051305983a69f6ae
SHA256

ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb
SHA512

9148afb91824c3845a478b113f9f0cf4dfe2e51e7120c3951f923189ebfb1080b7e657063802900a87e8e3d8d32ab7a4bed6d06fac6e1a29df4e271296deb4f1
SSDEEP

49152:lx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAyFO7p+5gRwPHqqgvNxnz:lvbjVkjjCAzJkp+50wPzsNxz

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1916	alg.exe
1072	DiagnosticsHub.StandardCollector.Service.exe
4604	fxssvc.exe
2440	elevation_service.exe
4108	elevation_service.exe
4224	maintenanceservice.exe
3944	msdtc.exe
2380	OSE.EXE
4952	PerceptionSimulationService.exe
4476	perfhost.exe
1436	locator.exe
3516	SensorDataService.exe
5060	snmptrap.exe
3696	spectrum.exe
756	ssh-agent.exe
1912	TieringEngineService.exe
4064	AgentService.exe
4876	vds.exe
1412	vssvc.exe
2152	wbengine.exe
980	WmiApSrv.exe
4124	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\locator.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef9caa4cfc7bedf8.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\GoogleUpdateOnDemand.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\goopdateres_vi.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\goopdateres_el.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\goopdateres_fa.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\goopdateres_et.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\goopdateres_fr.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\goopdateres_sl.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\goopdate.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File created	C:\Program Files (x86)\Google\Temp\GUM54D7.tmp\goopdateres_te.dll	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b0f91382995da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000953798382995da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d00e673f2995da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080d676382995da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8bcb53f2995da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005423a4382995da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008ddb13e2995da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022999a382995da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e8868382995da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1072	DiagnosticsHub.StandardCollector.Service.exe
1072	DiagnosticsHub.StandardCollector.Service.exe
1072	DiagnosticsHub.StandardCollector.Service.exe
1072	DiagnosticsHub.StandardCollector.Service.exe
1072	DiagnosticsHub.StandardCollector.Service.exe
1072	DiagnosticsHub.StandardCollector.Service.exe
1072	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	116	ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
Token: SeAuditPrivilege	4604	fxssvc.exe
Token: SeRestorePrivilege	1912	TieringEngineService.exe
Token: SeManageVolumePrivilege	1912	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4064	AgentService.exe
Token: SeBackupPrivilege	1412	vssvc.exe
Token: SeRestorePrivilege	1412	vssvc.exe
Token: SeAuditPrivilege	1412	vssvc.exe
Token: SeBackupPrivilege	2152	wbengine.exe
Token: SeRestorePrivilege	2152	wbengine.exe
Token: SeSecurityPrivilege	2152	wbengine.exe
Token: 33	4124	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4124	SearchIndexer.exe
Token: SeDebugPrivilege	1916	alg.exe
Token: SeDebugPrivilege	1916	alg.exe
Token: SeDebugPrivilege	1916	alg.exe
Token: SeDebugPrivilege	1072	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4124 wrote to memory of 6012	4124	SearchIndexer.exe	116
PID 4124 wrote to memory of 6012	4124	SearchIndexer.exe	116
PID 4124 wrote to memory of 6040	4124	SearchIndexer.exe	117
PID 4124 wrote to memory of 6040	4124	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe
"C:\Users\Admin\AppData\Local\Temp\ce35bff7d44a17d09be2dfc6d91c6de837fc376e6109d5c9a57dd08454876ffb.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:116

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4604

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4108

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3944

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4476

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1436

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3516

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3696

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4820

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4124
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7f8c495064d86aa5c04af37f8c400d38

SHA1
46a06910c9e23a3c93e0052f114f782ff04b3ff0

SHA256
494f9ae626526a6a6aedac768be27c37ae015d8a3c6b0b0ef20effba66e55de1

SHA512
aee4d5e313e8222e8505820b418787347ea72702a706c8c68b26a78fea9b2a7b8c14d05157a433a3ec02bad5866a99020fe2454ed41f87fd9c98a2e1b7b24515

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
285433348116a9864f074c4dd293023d

SHA1
6294c624bfcfc04f35b34855c98b612ac955edd0

SHA256
a1f59a951ad7c6c8636366936337daf7482424883cbb33d94521291d67ce8b3b

SHA512
1dd635148e9ad37291955b2043fa9f2f212bb2c4953d955c8e6af9ac2645891a0d148674ae4300525c5a13fa3cdd5545d11185a45e83dc15c87f0c33cecb779f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f5106b10eef209ab1ea2c21b10a9eecf

SHA1
ac94d34b471dd88824ba3f8dce970c0af07d042a

SHA256
113d05f38aa2e9a8b78177196f52f5a38acd9e910d64c244d368c500dd796af3

SHA512
f788cd3e6b7f3906e29466002637b93f6dc2abe7da49a389b4d9ca3fd90a90a59940f0d98b96d5504732d609c18eb5bb675bbfba26048efaa45f8190f34c9b23

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d5e6367f789e5f495340d9add3888d2c

SHA1
9df4a3bee7996299663c9d465d3dd51249b46a9f

SHA256
96a77a95e43c273e18b0e52719d4e795cb6cb0946f43c43e6ac29a516718aca5

SHA512
d165eafe6f072392fc8ab5e0659757a8580565869b79e47f0b95a545528fd5aef7ca7b4b1e9cba22ac5d169cdad01f9239cc00bed2605130b3bc9450f79ecf57

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c1f2ee2cd8a7523c121e94410d10ad03

SHA1
ac3cdade37824f6697f9b6e4d14d895733b29796

SHA256
53cd850a14fff308e79cb0d844c758b6f749a4b286f86f3e9a9cd67e9688c252

SHA512
7bddfaea0d63a23f41463d67376bc36a98038a9e274943dab6fb8e917cbf071736d70b71fae5d500ede82fae0673f7c7a7036cdbd353979ef23405731be0a456

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
55eb541237c8d74511b8453de9b0a484

SHA1
2070cf9e026b037329ae53d69b5ce71bcc5d95c8

SHA256
53807459958ab36d1a3d543441ec6d8bb1f2aee9ff08944f2a44ffd528d33207

SHA512
81754e4abcc42e41989bc7ed031f327352b7b83fa5ff7c9736cf85d76b94a7ff7ea8299430d3d2669c4fe2ff1c6e67a23c90b6b3b0fc4dec08a5245445d70206

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
494765c7e5233b7651e3e362305f5f88

SHA1
d34254a71ae0add626e24825a1718ec68aedd3cd

SHA256
a2c15d9012d9230e18cb5ea3d9e5c3f90cc2cb2331c62cd441118eee60858727

SHA512
3c40fc1c1e1f0141e7c05cf54ce87a439435a1fd2134a45110c39ecd4d6a55d2a236c7c504b94170731960bedcc3955ee9b7dc8bfd522b05fe2cf01e399bafb7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6526a95070322807c12d5226e65361fb

SHA1
dc7bbae4c2c14554f7fd34f91436b1b52491b9b6

SHA256
dd36564872dbec0f2a668de8e3ddf914d9f440d3cbed9f16a55d0386915d700e

SHA512
16422f218c540a00795544db77e8d27551884ef215e10f2b1fe4ab52a33f55381b37e05bcc3f8fbb03654da74f89930f7271498e1ad8dfe64c90db28fb32995a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
891c85c956feebe62552db1cd5720f56

SHA1
a75f2fb643816b7fd66778d0034fc5798ddcf110

SHA256
cd2d47cc6a3d0afc7eb113f8567226115a60fa101700c22080714f50be814860

SHA512
96a30f37ed4de61944e0ccad21438672b849bead359f0673b75f7fca8d6a8f3df6dcd614e019fcae19c8f3da3e46e4085855f6d4215efce2b11c81ba71effd73

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5b8abba65d5c2dd63ffb85f48379eac1

SHA1
c0c30b7aceab7d3313328d6c3e534e93cab3a005

SHA256
bdda7551c2eb8fa49fcfc6f84fa9e634aca087f7a2b572dc98e49c612017747f

SHA512
5ce10faab786940580f63d9d9132d3cf662e6d34d664ef42dff998fe6199cca3b9f3be62e833a20fe1cbab0f5ce451611172e45e067927cc33bc79aa71d07fcc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6d62f7dcf4fb0746429d2291e9a17f02

SHA1
8a04234da1aa1e6eaf2b21d08d51c1362754a362

SHA256
185fa4522a0833e2fc170f0f66148165b7648b6ad72a7d086939505650c202ce

SHA512
c5ecfce5797506ebe48ef33c21d1766a492a382852231990a8111e5c4ae467dcd41386e115c50c7006287cc0e17f304a2cbfadc12e09d9d317d0dce180419895

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f5002e4ce7a95a6dff30b6b61f4bb089

SHA1
7b66a1f864da3f2a747016c0a9d9573061a7d031

SHA256
fe52c20506bfd57f3ccbdd145d454417f8a342be0a3023d9f5c6de2d7f022469

SHA512
f69297caa79f43483c8bc9b47d9f0749a48e55a4f6ef50e7fb3deb28cf1640a107ae15ffa3e34f0439e9bcb9ebc22dab94d782ea1c20ac6a4c3b23bb16882b4d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e0745e23790062e605d4019efcdf74db

SHA1
b862c66522a4ce21ac35accbc63977b2683fcdaf

SHA256
16fdbce175143b552564ea0ac76cbce341f9ee5de3cc92944cd8168e5a144e26

SHA512
8257e56122292763026a0aff2e696d65921155e01d3b08533ab69cef9fb925258fe463f4b972b09cb8cdfe36b744f7f75759c62ba6368dfe75b4822ead18b060

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
53fbd9c7a6bcc9fa3d6d381fc33eff51

SHA1
52093b75f7d63e3fbc32e3764c9beae637e83f91

SHA256
57e9bba5e7a75913ad417f69d2046312a61f57f2d7e30591f9b1c49a0134d819

SHA512
753064081b7eedf08f9cd5fae5f03280fb0b201685dd99e47c30b2456b71702eb658c78d7aa5c3d885556709c5007a05e0309612b59dde0f6e95f11eec0b2d2d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0bd759f8721b769de824dcd2e495f431

SHA1
35fec5b8a33946a1139d812da4064a8d2475a309

SHA256
b0baf141c40a6489b5d7c3ed4b369de1525e233234c7e951ea17a06fb237b2a2

SHA512
26718bf1678ba1d3c688ef59245bed3503503daba85ff333fd4b313956ccbcb4922949331cfb4be6a58e0911f9992cf205efcdc002891c73ea51126caa827390

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
25043cb8ecc91f3118670e19d1436f1f

SHA1
f5bac1deb67bc51c95531a93e2ab796a29e5a0e4

SHA256
dc93bce9227eaa7882d6b2feda04b938ed36413a3f7a5b74abbbd4d180a52315

SHA512
491b9ee0e41c9f1106952406c6d973b729c15a93552dc9c8f05d3c73390359e1bcf85800fc695d2588f73feb7572901b1e5e0aea9db17dd8b4a6cc08dfcbb410

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e965ce48d9a39a28a4d0e52111137867

SHA1
87bb2e7d2a77838805fa2b8f27755aa1617fe426

SHA256
a980aaa0826c5192660fd548376e9f4661412a6facc869df54ad25ee520352a3

SHA512
15de597dc370ebc5130a9f1333f9da52b1e92c22165c342315b119ebb6c331ad65b8e92d3a91b4df3de2baf3d645f22f674937126cd432b89ad2ebebd8269f39

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
693a29cb1d4f3bfd29e82743275ef785

SHA1
a8a9248e26d624207d1d7f67739a52dfce8e6992

SHA256
58e4561b1f9897a33632ef1fada677d804dee3035eb29ea34a95beb15a5e93ea

SHA512
d3a5884e76e1bc3b25f549adca01c18a4ca776c469aedb80e437e7284a6b59434d7908f51460404c7fea0362601ffec4ded5f06cbbfb9282620f4aaabda1bfc2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b38f6c289529804c21f9d7102ba8e774

SHA1
ad752b80a858467eb72d90e8f084545f16572066

SHA256
27a40e0ff2d47cccfe9121916d001025820c49d9026a26a3d1920f32e7c90e85

SHA512
8e5993b04ef0765cdef46e60474d18d22122ecdddd18c741387fa90fecd930ea838460845acade883a0775359c970533059232772f5d4318253b7f69cafd2643

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
13153f0648573e362e983e658d5fd37b

SHA1
27f1e5114d1cb50b8307392999adb9b9e78d6332

SHA256
28971edf826619df0a9c40632d1150304bf0414465a4ec2a1eeb5380b02a4e4a

SHA512
76c22623f6e2a06ee5acd4d65cc97d94d8714307e03998515b28461dc0b45b2327b1ae885c7f688dbcfb4f5996e3537a0ba232f2cad201de371ce32583f8873c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c1603a9d20735330c8ea144f9ad50a9c

SHA1
ab6da75cef184ed033906aa3bd08c830f3fe6833

SHA256
6bb7ef2323dddbe4d7be4fdf2fc3bd722e1f33a987971ff70f80479857e5ff25

SHA512
ef161ff95e41f356fe3106faa92e11dda7ea5a00f80ce6bae7ab5d7203433ffd8246a6e1753e3284004fd20dc5296af0eced99716dce1a3f06c8fafcd008ec44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
810a43995d58140ec2ebca62105fe103

SHA1
f9dd41eb89c336d6b59c9b13214545488c00f3cc

SHA256
39cdd844fb890945656a2c1563661e1d1f16e4db1c3effa8f2f1f327eb385799

SHA512
e57e8b35b7ddc19a72de088eb6fab358ea293ea0b552f2d32caba14dd8036867853a19ce79d7c2cd9359240a2bbdaae6f92cee69fa67d25781039e22914a6cd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
1d89361b40e52d6ae19a7013ea244447

SHA1
fce949d2ae3a458fb281aba72fc4706682d2bb8f

SHA256
07e3f4f6be9cf1d4621f7e7234c0e19d7d6c933888dfaf73bdab5149d6ea589e

SHA512
13ace16019db7e2fe468098fa35ae02a20578a241fdf2b1ce619e1ce4c20a25c741104c328a2b8b00bdcf8036ef62704974e8d4cf234a0ae303c24cf7860e43b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
635d209ad46efd114f868afdb44b2379

SHA1
44fb7af2b26075cb01528bb786228efef729833f

SHA256
acd51663aa93a06fb69848b9fb0057987c4bddac21d86c9d06cd15261b2a90e1

SHA512
bd3d41f0a7ca992878b5a92b46fd94ae71f66d27c9a9a32707b5d308fef159fab51fc00592cad643f0ebf690cb5de6bf15e16ea0e75b9049708bdae24d25899a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
59dceacd243066646fe6692b302a8b4a

SHA1
8ae400ce1f64e237f1cba51f7e52c3f2e5050592

SHA256
0a7d08b67f4aab1b491f94f4e83c90917146a9e7897954bdcd8a280e75ef39c2

SHA512
5d53cbc7c446fb1e1a0cdf405bac7930534a094b4413476f2b014060de02ffa26f7edecae1ebb061094470ac678ba6862ca89a252f35aeaec9fbbd425924b6f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e951af0d056ef3d3a45a45c43b95fce1

SHA1
acb88d8cf23b653a474023acc847a6ab02cf2e13

SHA256
e9bd27e0df71246244c9e24a3275b8afbe2e06a594081c798d6382184431258b

SHA512
a883094509c667dd1dbce20666482e98df25e1febf9a8fa8a96bedb00040b8e1f5b57e51f7d44dad6b2411cdb1b8b2afd2153b14b073292bdc951a0785e3bbfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f3f64ccd54c7522b62dcd518595f57c9

SHA1
f2ff75df1df4a1dd5e36d450479aa33b7f13c2e2

SHA256
551a2412be66a81e3c20fd96217df29e1436ab421a9d462576bac2aaee0a452f

SHA512
c78e13607a780192f52da4c97871929b55f2343cdad500b062c147f23c9cf6f752b3ae7c62d362e79b937f2705faf9d9c2452d41b8f3f9dc4b48f74de94027e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
114a522ad26cf490abec031e9734aff0

SHA1
c0af6f69cf7d8f52e2db4213bc846b2e6cc0e20d

SHA256
859e68e737efa6fb020ac6dd9119fb0256f87f71f351824d04c83534cdb7fe9b

SHA512
7e3d40fd119fc344d2e9c19eb73bc7d5753f2549c28b31646441bc790c3e9b1e4d885700c8275090c83ac5956bba398181020c6ba7ed08b7c17702bed5d240f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c3099c1b325d1ae14bfe688d36ca6c66

SHA1
262c332ee413b1a5f5bb94b2971dbdf0277a4a80

SHA256
e1e24ea055edceed628accc8f8080e3d337fc861ecad2470312ffdf13bab9806

SHA512
1f3a49f5ee7abb0de46f8a898245d46c0aec3252a438aef8d0e6960ee645298db389a45a0aa561cf84ffe89cbc6eba0c3580900db8a4013245a25cb0d71b9ff9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
fcefedf366f3cc4b148d70ad02da1bd6

SHA1
63d7f378c3fece0a8ddb718ba0a11f649c2951f3

SHA256
f87768eddfab27323ca1f5850fa3e8129d888db774b9e9f70781df5d4392a7ce

SHA512
ad902b339ed0f33b2a190512d528540baa3972a33c52364bc7c31d1cf8cab77d5ecbf48b767671a85aa9be6af644bb314ae9d012f6e55cea7e2bb531a66d4b67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
045a4ecaf9f3b78095ce885648473a03

SHA1
ac072eb534a7cd9443df7ff5a49baf6f720e4fa9

SHA256
b86fee7215a4a24e444c83e9091457fe17648986e875125d31244d46b2453033

SHA512
cb877372ab127ad3b704f8c4f28c531007cc1d14a663347b83dda894ffcc14443cfed8b9804e1860bf2c0abe49d0997a63592026885808a292fbb4e363f1b533

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2241527d6bb4968b63be1cd2983ce1e7

SHA1
82e06b8783c9329b632c8e7932f1fbd2c307b074

SHA256
753af61fbbcdcd72575bdb79abac87e4cfd0ab77384c85fe5811054fd8eff13c

SHA512
14410ceda83c57fab3acf850191ed7ebb50d9f7ee32cb8eb85d901d7c8c36cc850bdf428fc784c0cb082c24f1a3172654404d60fdba9b64fe20fdf7f91f820c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f76fb9ea6df37731699c0e0ac84fe973

SHA1
196568fa64656e5bd69ff0a188e79d14f04c7c42

SHA256
e79dcb48e4c644075e5408faa59166232b4d02847d42327b0017283021237eb9

SHA512
48c625c8021881dc36b515038c1e72518c23aebc368df45f8e09a5a27c46b3876ffff98c669f2cdc1dd3609adff4f6ce0270513fbc995863188593c025fa0db3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5c8b7c6c8dcbb01fa73b6bb43be53cb3

SHA1
f146474fc84438a8332da69937afa498fe4a6f73

SHA256
8687c8597ac7097450e7878d13dc2e439f0c598c69dae0c731e7d27048f4459f

SHA512
f95c9cc248501d10bbe47621c3bf28edd12bc0105f2bea949dfd7071f2dccd5bf32f6c989cf8c1cd0c4d4b4a497538e1af74b3c213c8584cae322c3a96a217cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
62ffb6f0374b2f5038cdc964fbaae6dc

SHA1
ef73e8603d887490b1876cc6e6729f4b22f1c195

SHA256
c44acb53f3baa9c3d9201e81047e016f8cbfb0a84605019d5dac7a60982ac4d0

SHA512
f4528d89d40e534c3cc036d1080cd4b4db08c076b4dba1ccd0041bc653160832b730a54b5e40aa9f5478d5e52f5c3cf2d7a580213fca54ff8107b8a125a4c79d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
6c18f7db98c0a14fdba8d3166ed726ee

SHA1
1707d768618345a89cbef2ee6cb8e8fbc80281d6

SHA256
3839aedc3e59977235a79dae399ecfb683c7bc561c74b1f0df9796dbc10dd054

SHA512
c3baa98d8a9322353bf8aa2ab1338e2a65b178185dd7597e1c8ee63c4c39a63e6f4cb9219894e360e08ec783f7afcb0d08c864c9d656c52cb87893690347ea2d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2f3c53fe1a8007ae4c6608a0509f68aa

SHA1
3f7ad70a7e2dd389c49ef05cf348068b748eee33

SHA256
b2ff493d2e90ae79acc5342e75f66743cd5bac80245963dcec2b6a1e27a6346f

SHA512
8ef154e5882c0d762e6b18326f8fa4188def49acc8f334203ea68463b8411ce59a1990a2859897e6d135bf8fe64dc4910ff1f158e0f18bea79c667bf9b662122

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9b03fd76839bca1694d19448f7161bbb

SHA1
90f808c0d4f87adc437e62fce35756681c201c71

SHA256
4d86d03a2dc29bb2e3767ef3693b6729fcc68e5d9388437565bd25ae5cf75801

SHA512
0dcf88c9f6caae405c5c0d4bcc00c8f1a717d5543c36be32ededd1726e5998fe17745fed590114c19ce1ba2006f41d14b7a90b3785098a99da3ebba06353df90

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
89bd65b6bacc4f2f0c1faa64c8386b45

SHA1
45447d7bc015e0f2a807c6580a6f10ac30e4653e

SHA256
76880323d1d38423fc476a8405cf91f9d7440a10b2748f6b0abc582e04979cae

SHA512
8a998305d3ac3d0c8e456cf4ca08d4ef1ec81c23a8fe133225bf31e1e807db250612d69dba706084700f20162e747a5d357c37748e71eb9341682d9ab27ab700

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
337b2497b146ebdb2c76db05f494b0d8

SHA1
e5b2737025aaf03569d517c72106044c53ac7220

SHA256
9567adc49faa595d323b074823a2fb97910dddfc8404a23557ab1562756eac4d

SHA512
314d5c3731783dabed319ed708fa5450b68c8c12c7d068be2f0f028b0e193a361370889f146f02e1b4c7e8cb5a288f3c4818239134e9efc3ed0de089229428af

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e21a70d38c34757af74505106b0b02fb

SHA1
b9b4b4b6254e5eb470ee31269ea9915746f4c5ff

SHA256
19f215fc19b8a4caeabc2116b720c9caedf00af288eda4f35dac1ed07e142bd3

SHA512
740c8a8ac9d2c2b3ace9b6b81863ece90b5277867e76e49f69c4563afee86e43ad3618f1cf56e3914ee68a0303238b8ab1154f7fa331e95a3378a3150a26a666

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
12afc863e9742285e339bbdd851ea6bd

SHA1
f08baab85f70f638b727ac83a240413f9185ab49

SHA256
1a7e3736893cd19d8d8af1cbe1042922546098f2da2a669e76fbb0664739f4ec

SHA512
f1b432736e7f7ae3855490def5dd4cbd2806273ab714ff3910b80da096a9adf5cbee63118b6ac7aee7a2253876b0674491edd2e7448d8b304fc773d9b60d3742

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4bfb173595536f6a9f954dece1dac4ee

SHA1
1bf8108e719c913f19481408bd877452cb71ce8c

SHA256
672c82ee249bdc98027ab232e97ab6f8f495b0b5e494101c9420ccdfcbcd4d86

SHA512
92be8f8404119804ae3d4aebeed6ac34b2101e54529dba0f12344ca50215bbcfe9895652890bdf86d302e2f21d5c3d4b27de11c20bda16383ae5380b1912788f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
688f333f7ea296ceff5363d7dbd8be65

SHA1
71bdfaf5dfa7a49012a0224698eff5a47ce263d5

SHA256
608616dfbb845f4e2c62c230b4a9854b48ebce4874749ae672a81021f8953c5f

SHA512
54dcba4a424fc1b87561e79378758ecc6b2cb94fd06913194d5a311a527219cae2950e66b99934a1c534354d1cf234cf04d70fea12ca75178b79b634b46a7231

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
05cceb4d5374dff35868391db0c274c6

SHA1
0eba808f35db9b6010dac7980245c025390384e7

SHA256
a20d8152b9867f1a05c0d01f6625f313099f852e42620422c5686296fb793bd9

SHA512
b398e574740c1ead161246d1c2dadbc63fb24e515157008b3a56b4ff0ffde4c4b8b179a0f604d9a8a726e0a954d3e4d8fb66de58095b81bd9b537fd3be10bc65

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
85f974843f4588bd4a9a24bbc22f379c

SHA1
14e61c6ec031309ce5b8a7ae7c7977d77d806c49

SHA256
5ab8d52e335c7f269b258930bd0f622607714bf800fbc11be3f0a2d05381db79

SHA512
c9bd1f4909fd99171d597d51098946f1bd7d91fe6736a04518263e683d61c71d713c5c6b16b20d7e9fac07221456b524bb9d500ac2162ae74d07446780d79f21

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
81865ba4562c2f3d499d07c9da2ef0e8

SHA1
ae396515d3cc9c7f2dcbf733fe9c4ffef52018ab

SHA256
562f200058ebd25456ed95533602bce1f6dfd513ecf9acae84de220a8a3809a8

SHA512
0556194836e03b1c6a6b3bf90fb78c2c4f00d89f762ce390d89da087536f9d89f12d601d3d41df96c739a57c225d3db9b9f56d1afca025ba7362f5a3c310352f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
450454c2003736ecfd448309b8c7a18a

SHA1
3896dd1c9c4a07d3035324dc915bd71203d7f0be

SHA256
e2acc099444841c9bc4824e1e96c0022a7b0145eacce78a41382824d9ed446ac

SHA512
60f5a579b3cb0e93cc03d11869ee8df8f73170da0eddda029bb7cbd5b42533f72f847a17618b9c159e65717cb0e0e06c8c7405004d133afd3be22059e94cfb7e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cdf4b557ce81f81db20fddafd5a0e6a4

SHA1
9e9ce9811979446a4ef3dcee3a707c3a39ffdc3f

SHA256
73f318dcb05841c4b13349d0ea9dfdfd5cdc3ac30406787cca0ecc473cff35f7

SHA512
c1eb950afd2991302f0881f34a84d6bc787928e069e2ae94bc6f83573d69ed2d3f7e1f3128de1ef0ef138e6ccbb51206f66c452ff053b81195e8d05ff86df40b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
64755b93af97a99db57ffa25f533004f

SHA1
41019f31d562f85715a5b9d87068c612c65d5c0e

SHA256
36aea7a597c99b84021209e82904d56949e1e43e1c99a4b5dbe6f73bc8b974b3

SHA512
fde8597594262fbb93ac6ffad503463927f6573e5fd4ce16277c00c31aafca7345db8a2589a122b31cbca6849ed607e4479eeb633a2a0eee1c1bdecd9107f848

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5d2a7c9f726f4cea3911dc1cefe4fcec

SHA1
bf978a98ed8bce03f5bb578ab6159e653f895c4c

SHA256
895763b542f4d29fc7618c2a96b3c01ab14bcb24c1098ec2d81d60148cb8ffea

SHA512
ef5050a197ebeb413bc6b26861108dc58e5c9f5a806a33d3cffeed9a2346bd004227ea2352640d6549f1e65a58e04ef12383493bf909b9a4e41d908f6f074a3f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
697ca3e3bcdabbb4201498f98904998e

SHA1
dfe1e8d22d98f6205938f18c3a04b00fd8bc8195

SHA256
d11352a3045bc1ddc132caa7f07bf389b628304ecfb5cc8b01501d83d9a21f9d

SHA512
fccde5b205ff21a625b54bfa213297c39235f3cfc0d2f25f44b5b63a09d20cf91073ca95ae5b6a549360064f0270c189939b5a5e477e60751792fb72a10263ee

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6a7d9349aa608749c2aedd4cf884b154

SHA1
06bcd5cc38ef8e1c3a0ff84d9cee28f790dfb80f

SHA256
5765199ef2aa6960b83c58ad3f744c62c4c4cec2475a9774d38961989c4da1f4

SHA512
231fee241ffabdf3e2f68a0d59f7e4b4bfb99c9dbac414664078fa1f1e5e5a0bdf894e1be5b2b832d80d8f0f02952b9578d2ba9c90ea4d0d0aabba812128e879

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
696abf99af7b6104bcb3f65711995a5e

SHA1
3eb98cbb03130231eafe32c64b9a2da86291e53b

SHA256
f40c7746d2afe359b7bd356c28f14cfab29a506af3486b73ba66576388b389a7

SHA512
448a4795bc24e9ffc82cba117d4366629e425563ac6335a910fb468b723eecc3123ef80935d66eef85c88cca34ea336ad9a708876772f5047290c819b2582f74

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
9caa76b06cca4bdb62552051ed728506

SHA1
d97002107844bc4d11d8a0f4e063a5908584c146

SHA256
a6303ac9ae0e4fc2ef5dc4816b7978b22fb80b2492cc208be3d0ca16d672d85a

SHA512
f055919ceee8afc37564024adb332cf819ebb20c04e3ae5df6335c5fa5259f5e353e61c36873b5bd8733ed6313061a40907e54666fdb4500f91933d3dc47571b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
91b3db2dbf2ab2c842ad958e4a5bede2

SHA1
a9e08baec623364b73f985e63fac07dbc1122a3e

SHA256
7d50b21cf2fd3ad0b627459a4afeed2fbee091632c7ce351692a02aeee6a9074

SHA512
e914d38481e9c46880040fe727d70a32c776c4570bfd4f5ebe7f0ba7bd7a9f7d79672bcda118fd482188801937c89d0e9baaa50911ab0049630a7db3c3456da6

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a144fd177a2f2ba4caaa338c03bd02ac

SHA1
e46d6b25b5feff1df49394d5602eda43cf39097a

SHA256
0ccd388d22ac5ff69accd9c5f78708ebd5d833cd42f8eef8ced7dddebdf73e12

SHA512
d694353a5c996768638ea41093f56f4c7ec88155bd404d8ecd63097bdd71af4c5fbafa5ba0cbf77973cbf143805241155da0387371beb7bdf9b2da2db3b23b64

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4743515545033620ba242079c25e8ea1

SHA1
67751901ce4a45e78d2bcb6defc32d6d9e590055

SHA256
8771601f920409cc3f76caf2ba73a26924eb5e941875c9cf8208592462c1daa9

SHA512
d94eb71498e1f7c94d34d3c5c86420f42991bc3937ddb1049ca0a25a52e68d04439417f2ce8e44a9ba69f1abfde07d03323a25c5b0aab0b278307e1f2c6dced9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
26974ee836744494d898ecf3e873599f

SHA1
0b33eaf71c3705780e39a267494f0b6eb6cc604c

SHA256
2df40f2fd10a102911fdd26922891793de2bf54c38a24cd5d4edbc6904b31ffb

SHA512
30c38ec01da34828c027a39e772af43b8cc02189799457f0511d5a2d90d932df0bfc23a7db624eae537f06467de3b4d75c3999d33d96336de8045bc2374efa11

Download Submit
memory/116-6-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/116-133-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/116-7-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/116-1-0x0000000000B50000-0x0000000000BB7000-memory.dmp

Filesize
412KB

Download
memory/116-448-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/116-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/756-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/756-336-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/756-277-0x00000000009A0000-0x0000000000A00000-memory.dmp

Filesize
384KB

Download
memory/980-358-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/980-352-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1072-160-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1072-94-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1072-100-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1072-93-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1412-332-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1412-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1436-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1436-223-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1436-214-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1912-283-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1912-290-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1912-349-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1916-145-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1916-87-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1916-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1916-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2152-345-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2152-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2380-186-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2380-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2380-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2440-126-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2440-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2440-116-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2440-117-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3516-236-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3516-230-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3516-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3696-323-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3696-257-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3696-262-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3944-226-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3944-170-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3944-162-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3944-161-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4064-307-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4064-303-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4064-310-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4064-296-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4108-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4108-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4108-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4108-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4108-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4124-443-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4124-366-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4224-146-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4224-151-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4224-158-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4224-143-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4224-156-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4224-152-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4476-204-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4476-267-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4476-210-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/4604-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4604-112-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4604-121-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4604-118-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4604-105-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/4876-643-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4876-320-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4876-312-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4952-199-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4952-254-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4952-191-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5060-309-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5060-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/5060-249-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download