15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
Size

1.8MB
MD5

4280c9ae8ca069bf39e96bbd8f0c147b
SHA1

efaf7cf4ce71731aece53c68040b70cb55d37d86
SHA256

15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38
SHA512

ddb21bdb1e11007b6a8944c9eb2f986cebac33ca7ddd32dadfd4537d45d035b1ce4fa05a643d69527ca03f70e7e4ec0eefc0c6dc509f7fc0b396d87c63813908
SSDEEP

49152:Tx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA1f9Ckt7c20+9qNxUW:TvbjVkjjCAzJyfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1760	alg.exe
4112	DiagnosticsHub.StandardCollector.Service.exe
1172	fxssvc.exe
3656	elevation_service.exe
2260	elevation_service.exe
5576	maintenanceservice.exe
2228	msdtc.exe
1208	OSE.EXE
3720	PerceptionSimulationService.exe
3032	perfhost.exe
2372	locator.exe
1300	SensorDataService.exe
1352	snmptrap.exe
3928	spectrum.exe
5188	ssh-agent.exe
1176	TieringEngineService.exe
5676	AgentService.exe
5468	vds.exe
5072	vssvc.exe
4492	wbengine.exe
4196	WmiApSrv.exe
4044	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\wbengine.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2f3011f64a48edc7.bin	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\System32\vds.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\locator.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\msiexec.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\spectrum.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\dllhost.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\System32\alg.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\System32\msdtc.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_95203\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E32.tmp\goopdateres_zh-TW.dll	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E32.tmp\goopdateres_am.dll	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E32.tmp\goopdateres_kn.dll	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E32.tmp\goopdateres_bn.dll	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E32.tmp\goopdateres_te.dll	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3E32.tmp\goopdateres_uk.dll	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010aaf11fe9a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001487e71de9a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a38f81de9a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084d01720e9a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d495fd1fe9a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fbd9981de9a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdd93e1fe9a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d977961de9a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4112	DiagnosticsHub.StandardCollector.Service.exe
4112	DiagnosticsHub.StandardCollector.Service.exe
4112	DiagnosticsHub.StandardCollector.Service.exe
4112	DiagnosticsHub.StandardCollector.Service.exe
4112	DiagnosticsHub.StandardCollector.Service.exe
4112	DiagnosticsHub.StandardCollector.Service.exe
4112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2876	15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
Token: SeAuditPrivilege	1172	fxssvc.exe
Token: SeRestorePrivilege	1176	TieringEngineService.exe
Token: SeManageVolumePrivilege	1176	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5676	AgentService.exe
Token: SeBackupPrivilege	5072	vssvc.exe
Token: SeRestorePrivilege	5072	vssvc.exe
Token: SeAuditPrivilege	5072	vssvc.exe
Token: SeBackupPrivilege	4492	wbengine.exe
Token: SeRestorePrivilege	4492	wbengine.exe
Token: SeSecurityPrivilege	4492	wbengine.exe
Token: 33	4044	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4044	SearchIndexer.exe
Token: SeDebugPrivilege	1760	alg.exe
Token: SeDebugPrivilege	1760	alg.exe
Token: SeDebugPrivilege	1760	alg.exe
Token: SeDebugPrivilege	4112	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 884	4044	SearchIndexer.exe	112
PID 4044 wrote to memory of 884	4044	SearchIndexer.exe	112
PID 4044 wrote to memory of 3332	4044	SearchIndexer.exe	113
PID 4044 wrote to memory of 3332	4044	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe
"C:\Users\Admin\AppData\Local\Temp\15ff6af89bbb4cc111766ce052e703596ada5a45d81e8620ed062a0949e60e38.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4628

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2260

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5576

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2228

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1208

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3032

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1300

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1352

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3928

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:392

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1176

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:884
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
250a42d6af2e2c4ca94314317e776aac

SHA1
37fc6283d543bac6073c40f22ea9031751dc7018

SHA256
3909ad90619a78dce2ca2004e97ab7488d29591a8e3f825b0bbcb0dae4ac01e4

SHA512
435780c34cd19d5b10d986a131e93be6d474862ba9682d3c0cf0a8f2bc36f3517a71856998fbf735dfec1d1b17dea7d927b5fad7e503b927b754f49f277c2d71

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
08755290ce03cebe8ce5e19eae0778a9

SHA1
80ece8dbf1c8d880fc92e78138053c28c43f1c9e

SHA256
ea6682e089b7994ff3dcf7c898ff76d5c5511e1a4f62e2018a6f95c0e31855ec

SHA512
3066d29fed0be285d12563d4e5d892c10bfb7f8e450a6ba1d003f4dbbff29e104e93f377ab7980d9e9f8434fdd894a5e03f00d65ccc4726233693e1388978fc6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
a377251810ee65a890207fc3235bb933

SHA1
7d5eb8107c07976046ee70d4f3f6d53e9f5bd627

SHA256
7e7218c1494a06acba6d0198d57876c971d5efdd1528e1f9e935360da43a5afa

SHA512
2778b9cc8abf4de24b23a8b71b6c44bc13ac46ce358e2c85e3a2c35d19bcbcd9b2f53853a7e028b2180fd6c13bea332ec670cc61fc1d595103ebf9fe406507fc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
88dd6f4949347b82948172eca357cd09

SHA1
d596beb001f051cc718efb86a91b2416eb39d463

SHA256
a0b11316a10f8c35845e7bac6a4464126d1a0373af9cfd872bc95ff7f0987c14

SHA512
44dc8a895f8c928305dcce96b0b3c7cf1130e70d5eb904f877d2c863f07573c727491d56f9dd59f193d6c8c4f5fb055d348d9fb4eb468471c4e67dbc5616e247

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
a214e00f4fc3b10f65dd7b23a7526786

SHA1
ac853d129fea9b61e2864c2c096e7dd7f31fdda0

SHA256
6b89c4ee62544fd21c17eed9e4ff9d3d3d44ea79c28903982e1a0d2773c5d0b1

SHA512
3c46653ee89916eeb8e12a89e521df64bed2d7a118776e51674a89ac5f88816c0d87ea361e95f2fbb752c208bb9c23a8a12b507e952b45deb5d9c49ade975c17

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b9a93b2e0415b0178039c3a01600fdf1

SHA1
cf419fd339a7583eb8b7bbe8491884f9fd66e274

SHA256
ad768564ba7995403ef4f5c0da80de0cdc78b1605e2eac2f4424b369daa00553

SHA512
8ea39a40a491c4d7e3cd8b4b9cadaf9c7b309ab45cefc8e0722705c921b8090e078e1c761202a41816483c4ba51493196c623248e6592e1664f71e1855e607f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
92a00b943f109ac16cb571ac3fcb63fa

SHA1
0ca6cc42ade6ce06eb6e4d978140d2aa112016dd

SHA256
60e2dbeaae7a0abc527f485c485c6067235fa3668a6a0b6a2c1488e0844bb706

SHA512
df8dd929ea948ba95c068555e61b1679dbf0e42f0a32f74a92992365a3e9b0cfa22e0d683960f89d601b599aedc49fb1a06e3b35302c90593ac55c2bbe4d888c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2fd4dc4119943697d33bfb2d08913210

SHA1
324cc46f3a9ea692a0115184b4e39b2214d7537f

SHA256
79e3a746cd28bc91bdb94fcceb4f0e12df075d89878d9be4b889385a54143d34

SHA512
4caada8550be0e96292e6dbb22d0435b32caae958d81c56b83d68d1bf14fc7b9b7262cee5a902f1f801f3e41ae444d9d6525b19942ae3790273b317b60e4a402

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
7f6310f616b3aaec94751ef7dbff2fbc

SHA1
f39559dc57d0a7429cf23754a112193168830578

SHA256
a28fb5a845f5756d040a501184dc6ba8bf5143269668254835063a1102e4c1d5

SHA512
527ecabd4578879958f7b25c2c78953995d40db4507c9033940d30cef70b1bd9d961c33c0104aa5b2bfde81fa1b9c23a08552d277ed4d1d3a6930f9d81e3410d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c74f86919d0ad6cacb31ba5c18982cc0

SHA1
2d76f5ab9ed8bbb6373c82bf47cf5f538eef2db2

SHA256
ff591eda692b3c7dcd5e2fe5b5c0f7d3d11c6b2040e489434339a56eb7389e89

SHA512
7b4f1e8fc2f4b745f4d82b90ba99b9d36edc1911ef5a8a359adf04ae19563c49acfacceb0815a78fc3ebf062ec4fe0e1763afc0a9f42acc57f1e000c6c09c59a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
487b8254419f2bacc2496a77ae292b9f

SHA1
57238d9a4f490965a6fe185c3fdd88c0fb45e433

SHA256
401bf3e763600f243c45cba933a9ec22d619aa1c2173c35df62c9114409207f5

SHA512
6ccf7028c23e93a584cabf469090ab9950367e946ba58e1d7d748e3c9e9139ccfb430a43ea01cb8d9f282d72f179f5f15c8dc6c20a2983deafd2a9d17bbb20e1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8b8f1b75dba773bf9c5557dd61dcea84

SHA1
ce023aa147aa4ce761375a6dcd298c96fbdc1580

SHA256
a9b20fa396cc1ce9c862b00d76d7c9e546254152f9b3e23592126059306d646a

SHA512
99c2e3366df579359a153fb85502380d450b3d243e62d514456853c51d11ba0a364c639d4fa9947327a6eda0dc460f1edb2d47072b6137ead898821b97029370

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5a2284eff209207721fea1177dd2a773

SHA1
a24e5ecc0c0dadb10629ca5d76b8fae810e088e6

SHA256
4cef73821af0fb89b3de4550fcf56501f4ce33e77b1d88c352c31694e0e34aea

SHA512
09a4f892585cd2f88dc95917ca69045f216940ea042c0c400b31d272bbd7028ff9368bba3bf5613591ebb133124787f230a66d3f54297ba9ce5a1134423632af

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
1a4c718cb6e0e1d89f69f68c8fddf258

SHA1
b350c5ca7ba2ab682044c59f809c3e76e725c759

SHA256
ef85de305bba44f745ec3e37bedf71d2828c6921b90367ef70b5c4583d9974ad

SHA512
1c0f530125e6f4093ebc1d4c802170a48c22e8a01c966fb08cfa98bc620fe13759dcd86a498bd9b53c9d6ba4b695fd73fab0d7a12f3366bf36261748c8df93f8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8e5cf1950e56c82802d68436103db685

SHA1
dfae481a73e4364e090325a14e633d6888b80f9a

SHA256
cfb83058f35f6657f1b1916ed09ec81515a9670d0bd45398dbefc9d1df193236

SHA512
6898a5cada8dd8b1f9eaf29c7e4d791a9586bfff45f2a4775b22aa5d8e9971f7f454f8c4aae62d68127b3452b5d4ef4df0a7bde59bbf8d39238377c5a7102ec0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
732f511fd99be7d375602da07932be90

SHA1
8104efba8bf9e7d1ed3dc6191f3f7f7ac8fadda6

SHA256
65cd1b34bb3afce762cb3812cd871a78b05b7df4ababab200b8bfe72ade3b711

SHA512
ae4b08623a6e22503448ee985d83960eaf44eea7f9ff01201e8ef5cded6dc2b4c001a43bea9dcd3438f63ef5922c080e5181f4de0edfb23542bd1dbf396de33f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4eba8c6ecd518d1baf7721132184a827

SHA1
d60e924d5eb5a3f296561a1d667a5e36de841965

SHA256
507bccf1a1648b17488beaf17f2876d0845097fe0c5a8f6db1db4e145c95133e

SHA512
72694cdde25fa8ac700ec5782dde0cb4d15f06ad953fad5ae02dcf5342e7c7799afaf0817c73157fc9a2bab9930706b382682723b3201eeb6b737669297e0a26

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
21b761c0768a749a6ae45841cb86a217

SHA1
e9765f3fd1d015ec3c15e66894ce5a5a776d51be

SHA256
ec1eeacfc29992f54465b74a792bcb642aceafcc1aac8a431a8337d4365ff30c

SHA512
6ce73fc375b660ecd6b2889b250c1f076f3e1c426479ef1d9c9c17abaa4e27ed8c24e9ce521617e3bb0f06ad3773c0dc742f39d719b8ddc61c0f455656e0dd14

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8651bb4ce56ce1f273ff15b9a4e0566b

SHA1
531691e1a6d92a02fafad8983228bcceb22d1d1e

SHA256
b136071c58a4a4edf0d54b8bf3aa4c7faae17ac2e80ea064efbb4315e1bfdf80

SHA512
e1c2ab2170b29bc120cc9bb7a6ec114e940053f3ca0ac3f6b77fa6c69f9ca28eb00c06bcc074b797595053a96259b04b5cbfb807e9ab83c42438a0834204a542

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ceaa30ccd85ffd003605dbd52704ec89

SHA1
83234e7f63ba60b1db7eb75425c1375c23106df5

SHA256
a53cb62e62d11286c14133545d0c7a36abcfd8adf9ee4f82508b3097caadde0c

SHA512
6ccce7035e7e4467d143bf3ce020a47e7bfefbe010285099d4a7918e8aaaf870d0582956a977d7bc0473b91dced4d94d0173b32d88a39644cead18a8d35f56e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
4797116abe00738d5d6bdaf1a3fab4c8

SHA1
f58240545f09125f64b1ac75e5b1e7eb93eaf41b

SHA256
e73029331b9073c46c1ae84131b7e4ab96e2d34af089c080e1138d3c1935af9d

SHA512
7e8a8b958bc8928c668b8f484028d28e1306c44dd6d6f71df3fdb363e9148720e9f8bb4575fda4f63d65a9eba25f2520de3d1492198527f3ca470e6c24638425

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
88b5e7260de0a7b91e2657cb334cb8db

SHA1
7baa2bf8c0cc64db56b4822f4720a26f5da4f78b

SHA256
8a7e97e47f498a187e4b70e0796d318dd1175683909cac3d794e797bf8b938fc

SHA512
04e91e1bd36d874e876d5dd04059175cbcefd8bdb01d62d228c4b338638f95e72aa0fa6af6e5576993e3160790ed9ff650d638f35493fd1578ca99738d3504dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
8707ee4d9e17582835a9a22fcc0f5474

SHA1
cae19086c01eef2d8b9983028ca0a10510775335

SHA256
eba43eb26674f38765622a3fb3ea8ca361bb911c111c4c2f09a157cb46a18f55

SHA512
08ef176ac48c73f1563ae36362e375f80fd0e274d2823032ea2002f2b536a288e3e9d60db7142fd0fbcc74ed24da18515a24476c5cc3d2a748ec825b9f076aaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
839531eb3173b0c6b16794534fb8d7a3

SHA1
fbc0295863deca548e0cb28fb27382dc21a799fe

SHA256
7e8dcec6b97a94ff18e398200d853b8ef9d01daf031e8c38d1a769718a2e280c

SHA512
bbc97c3b87a7f6e68af724bec596b24f1b2fc37834daeca7eb9232747e49e0c38f8c0c675f547721f0bfe9f8faeb661e26117a67203f3f6d9ae7cd78af60a4f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
6633deca560eb6bef47c574cc7fd0117

SHA1
52c6c4096556b72fe1b648f196a993b77ee1f7cb

SHA256
63e0ce3b266fff8a9c75a5c306468f660ef0206dfba5693b9c0374869d2e98a6

SHA512
26022c1152c8d18a666ed1bc4ccf2744e342bfc09f3cce06332b60799eb8f959223e861f5284f0a4fbccfbd0a0f6b16fab00065009ac2b0a0b9ccab82bb6890a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
52b938eccf91da505e3e37a7680717b2

SHA1
4f5d087dfe378527d3e61fd308617c77ceaddb6e

SHA256
e67c712c21776633d0d5b8a052ccb5e0a96410c9480600b44e26c0c56199a3a6

SHA512
25af75ec2241c7a43706460ab941c4a64c8eda659c4d65e75df352674fcca23639015979c6fe1d4fbc333075d9e9170e7644a65a3ebd2467d0cffa6e2ba0a00e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
af48ddb88b02efeee2c4c11ebe94f89e

SHA1
b97aa3e85bb4c3c4b77b357636d4ad3babc32708

SHA256
a95a47f51b6d234309fe2a75193d916d063de90427aa832b64a721c02fa319e8

SHA512
64afa9dcc5852e294d7db23fc150a787a22180dea0eeb5ba36181f97f8261949f7e3ad212abea5eef8c4673cd3fa3c62f1cba56c8bdcaa4ff5061a952356b2da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
7c566fc77a342ad16cffc797d44742a4

SHA1
44053cf30cfe527f1c5baf6f8d09b3a70f780aae

SHA256
b9942f40da37f5cc7a9ee5e14250780b0aed67fd967636afea4b2aabc4b798c6

SHA512
890825f73728dafe39de2041b99ff355c20d1b507921bf9225bc11f890646422e625d88e02f011a41c36b6b3e0d1a5a5aa227c272b1231e5957928b786c0bf9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
fdb62b3c76a53bb14051c2d2a04d5e28

SHA1
301ff37adfb68388f048aad5b1b85bbaa7609078

SHA256
773c5caaf1d974137564bf249896dcd067f2131fa5d2f88d17bd902745f4de3d

SHA512
5ccf28699998c973f54ed88139727cea12379510024834ca186f1a32ecc9c0e1273b93600da8abf5bd7d2fe7bfb2cd7adf125be055958b6dcd8c9368315a0391

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
6668e16470034dcff62aab323efac30c

SHA1
0756624ecce5ff0e86de239bacd4ca6c58b84a15

SHA256
7b0e30eaec5cbbda39f62b36ce532e464f499a5a1f162804856227eaf916204c

SHA512
dbf1388ed3aa38f55a47d420e34afa61cefb53ec45bd637ca72e764ffb5e032e5be867877a1ca44581f38da6bcb0afabbcf8f0431ec8cc2b17483054566f70f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
43fd18a5a8fd6ea59e8365d71f1bbcdc

SHA1
769abd7b4daaabecc5a37d326512b56a7479e56a

SHA256
7da70aa60ff8846eb9b863f30886a153ad3b75df3b7a62054967801a83efb362

SHA512
e386a1fe2b8c562a9b7e69dc49509b3b6dc5de84aaf5290e04d256cd332ec1e1ce5ac32e7eb1e098c8d9d97e2c655e778d1332598af1d20d1cfc6a44c668b622

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
1dfec4ce26256cbff12b95130397f11f

SHA1
031719f98894c1fdc917e0d1ae62a23764319dbf

SHA256
72d0e6acd58f76ed261f533ff28c108ecc48d33fa0b69b39fdd001d5197ab13f

SHA512
aa58bc907aa6f2c9ecb95f060d0a1e85fb11a56bec921efd5331a77f22823e0c89a46f8365ca7883c18b0ab2637ff577e9585100b995224a66a130f9e0caea25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
949f9076b4ae080a8b914bc271c9ba79

SHA1
532ca5194912a90f2cfe8bf06c2e511b290c147b

SHA256
93a3b7f138fe40d3a3ef02ad2ecb8a4da6652fb2745aca0946bd86dae61054e4

SHA512
5e869a7357ea53d7e5aabc7af5a549dde2740c04be1c77654162bdee2f40649036c313aa0b75bc442d49c7e3cfc267c5d7768284afa8a895e3fb26714cf61169

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
c73a682b20296bdafe8fec14551095e7

SHA1
def5466997d400202f8bf5726e66b88f4a9fe25d

SHA256
3a4f1c9463f010943d03a2f5e28cebc8fa7e377b5a905799bc675c21b5a50e95

SHA512
98caf4f05fd35400b73b18019a9bbe3ac21896a053134136e6f672aa3e40e869c58b62fd1c75a69bd1c2ae711ccbdd34193e7bf9838f99019bd306abfd32f0fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
246d08d9095fb1896ab1440b259dfd4b

SHA1
b2611045a58d8d2b599ecd98d78201758937476e

SHA256
7f2efb707ced7c92b09f0dfd58f4e0bee999704d641f1efbd23cdfe90aa4c7c1

SHA512
9034380b082a4a9a027d20bc72a2b4aee11e3a6609b93e4493ce6c203c81fc7bdd8646fb146b7d4ff62206892ed529279bc55e87bd030810e41fd7331326da14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
645cbd50f6dcd941896f1b34c7a058b9

SHA1
427544317d39eb77026fc1f6c1248f11109d3ece

SHA256
19882464cecf6cae296b91a1d1842cd4a3946da9c1a596a96e7b0434155c44ab

SHA512
eba53fbe474c0acb366a595c3e2f51529f17470f717bdef01c475d99cf020379a6606c10fdd6a067cb9dec29dd0cd32b5a41861d5ecd40a1df11cf0c718b12a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
57d5034f180b14820aaec0f9d8dc0081

SHA1
12a4d22a3d4e31803fa9749ac26b5d118afd2072

SHA256
1e6139a1f23c36af985275ddb6dd71593bc0a701d40e1bb62e73c686377ea550

SHA512
e4865c849e32ea5299dc484be1737c1695817d88fc3ba43d216490ae89171f22496a8f553fd8e844d70c49616fbff21b17227fb445ea8beca27c4466dfbdf308

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f62e6e1cbd43e46abbb490279a0eef7d

SHA1
673eea56a09374d85c885e6adc4e5f5e06e942bc

SHA256
a26901064fb87269016a40780dd523fc41e995527c9c5205209bb27f4eee9a1b

SHA512
675195238508aa01ae8933bbe9eacf0c2ac8b65f8480e570fdee672644f26b821c893468483cabc5879c5577231c15d840424e8b52aa9fa11af4baef8f24e425

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
53cfb6134c3d71f1c988fbe894ebe2fc

SHA1
bd6082deb4b469def2d7ae6411473d1de3201699

SHA256
8cfbb4bb2908206dd41f664036256318e797ba7b528691e0c90e3cae580ebb35

SHA512
d3b1aa71bc78c164a01eb20d5449287ab5310b7eca0d307f1a0bcaf0de3b0a5bed7af6591c3e48ba9f66465c33ed899d29ce791aef839c7aa588cd94d1a63703

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
4bdb5afa4d41449152128ffff6fe33bf

SHA1
203aa23e609b47edffc05ebaaa52d5100cdf040c

SHA256
df4570028193da5906bc4e740c12c5cbf266090cf60f8e897260f545fe2c33eb

SHA512
50bdc0020703a4b6ae7a1b66849b9781a525b4c9002cbfd1d5e495f59bd0674604cc0600320879d6cd2af77e309d794f57340a7f5278a302b5680c67926f2a9a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f902939de59582b55b204dc1d11a93dd

SHA1
1ec4fc25dcefd8f166138d115583692914aa030b

SHA256
2efdb0dea831ed46f4c74480c241f5bbc794449e23248789bbfc1d7accc24cb3

SHA512
a5c48495da1195fb3722ff71e14dc03ef8fec4c32aff27bc008a35cdf4f4242f3bcf7be93376f980667a091af4d6f82ff11afdc9a2dc32942594262a713ddb0e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
8c77838802879f1581ca385b927348c0

SHA1
b17082580be79fa4628e22adbeed949490fe7c82

SHA256
aa9dbff0af76e51eec6b6f4d2850a0def171fe7c7d2574ed9c6290fdab7e25f7

SHA512
f6d0963d3cb05e934a1d1eda14590ce5f65db3db7a3a1ccaf565deb101a4b00fed41120c71c578187d1cb4fe7d1a2dcbde4cab4b609e6e38d5b105af8dd6fff8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
261a9397c82a85457b6ec92e00a862b1

SHA1
cb7ec03d675b17fe6083d71d163e552be1ac0694

SHA256
4f1589edcdf80882c3fd03d1093e1cfd9f0fde5c86637955f40895708f8dacc1

SHA512
aa183bc394b8f6a7e54f32cd8c48b9568da0582548d1130fbd5a51a4114abd399700d8e28fc126931da5bb30752d00b0c72567770d6c9ce07cf1d72d63af27f7

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
662f2bd2e469985745c9c5574d2c26eb

SHA1
7c8c6ead35a8e2c0ec87e7377e5429b7919ea8a2

SHA256
d6ccd27be251d40bfc9179bcd6bf7289a3a08c0a59ee30249842ac95fd92b924

SHA512
1972d05b52776f4ce4946ae0142dfddbce526d7e69167d3f8a96afe719d486793f30f4c123fe70af0fd8c90dfacf0a2706b18924e289405941ba09757a2a5e61

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
b878f2b195f99c328f8084680e02f3f2

SHA1
745cc83be59718bee89db9ab3580cbc35f54214e

SHA256
6bb85167d53d6d6d4c63fe176b8eb6ca2c24b495547caf8bdb6fa7953e6eac00

SHA512
d6d26d6d6647bda30bb556c4d729bd905c02ea898dd2657b8c094f83591779e0b937e8f5c510ba1ded8fb61183abc4934c1cee24af22d3fe371440ba6e3dd2a2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
5ff7cee33d845ef288127375db29f482

SHA1
06baa07cefeb86cee87108c64bd5f522f0e532fe

SHA256
f76b1d237b2acb02445e46d67310299fd5e247d85a14f76d78bdbc0fc257771d

SHA512
a60f9397a2ea6f5d6b8e258d97d14a2b71ca53c5eea3f99ce824f6c5f7ec26906e138468dd3f8f3146dc952fa2dac040a2aca0583473f1598ab67f3b3f0d1fa8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
683dbb3bf0f573843dc411b94496cb4d

SHA1
41ef402ed32eabe4bfe846719694a1d1049ac08e

SHA256
8126b684b9bd4d598eddf43d87302eadbbc19850098280c534df86270f2096ec

SHA512
f399c7c143463e479399eec4b7d76ed37f98d6d7118c3c7e76fd57dda1e2dc34b47f642b5baeabc600909b0d507496508397c519d75ba83c24387abca37b0ab5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
34a31fedef62faa7c3b3eca38f86be0e

SHA1
8cd208a895ab0e84d9566006a4e1b76e90d88862

SHA256
4af9610e63eade80d37925a33523337a6c81b87a4abde6d0b15159612dade870

SHA512
23a2865c830f580f8fde8e01a5f2a3d54a9f5bf5539e32675ff38978ee9f4126b423ec0197eaff60481e6a18981c966839c375ac9bd5f1b94b644b7859b93234

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
400ed11e6d0a3e6e5e43ad0a0a9f8f8f

SHA1
0fed995c4744065dfc72703a229800d2a04ca7b1

SHA256
791ee5a6f8b690a9f018b87148125bb642400c0e9f9d0f65d410be38dcbe4df8

SHA512
6d3524b6aec26a67fe7bf96b18429e0eff6ff6a836112c77a375e70593a6ed316348cb853a884dbc87dff37aa5b1ec74c001941dfe177ba250cb28b04cfef913

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
da5cdfe3ef8911b6e2bd9409ec6ab58f

SHA1
4e4b021e13b95907851a3e6f5acdfaa16ed1effa

SHA256
f7deeee3b4d1453cb05920196387a813c48c8925862e7426de9210b349a6879e

SHA512
75a0ebfea0e4839c30d0d2ffba17e94918dc5f4d3097e9a83b4da6f368313b670527a0a166664fd665295fc4190bd4d642e2d811da78f440f426899cb867bb63

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6e6b72b59afdc96e2025c283597188ae

SHA1
f2d16d4843a6404f66652ba793b81101e1ce2535

SHA256
4afc9d3736c033ac62084e3a8ffe1292d97baf059a0853a961041c81091001a0

SHA512
58d602f778a2a92ee1aca529cd7a8f074bf9145d99029dd9e7d6ca572a3490cc2a9b8515df12a22d41d3b1faf3bcae832bc5c470f5780c71e1cb96fdf6b85c9e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
57284f0f488e20353a2875552f644de8

SHA1
aae7e2c008d8b3cefaa342968a2489c5182167bd

SHA256
a13f0f1fa8750bc6e6c19f99d942f0791df8d9e9226b161da9e493efcbdf96a7

SHA512
ef87eca704ed0297b1029bc0a349ce89b289281be12adbaa74e17c5c68d69705b94e88fca274d8fed7f1fb0ba2291e9356b7b2e14388358c10d04408262741fb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
bf55563ba46e40849ca8672399135ecf

SHA1
a8e84f3b4a3b861840e3fe183425a0c3b18e74ec

SHA256
07764f4b76b4115aaf8af23013f895176c9be3055a622ea232941bf533179166

SHA512
f35d19851330caacbb6279184423a1fc23faeb0380cd6bb1b7693b44d2deb5fb4aecf861bccda0262bd9982758d495d3a71e4cb4ce5879716dc469523a802dfe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
54f72233f444e8c65d0ea5bbc440aeda

SHA1
76deeea351fd50ee03e76d7cbad63e1ac7716139

SHA256
4eb3b4bc006988366c803da44d6045bea791c7b315c7a768f5de3be446e9d3c9

SHA512
4b542b589defee53cd52b76c795aedb6f4239dec50aef10d6ec52b52b07500613ccffd5e626b0b435aed4df65ea23a653673b0e569f3a34a2fd0ef8462e50536

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0513b71a678a0f97133aa867de276af8

SHA1
184a6b476c4ceb9a38883e060aeaba48e5c647e1

SHA256
8014d4f50e11a2b2e8df47afdd1b4ef6e6be05127b1cb81563a98e88aa250285

SHA512
0375d4e63669b36fbe5db17e959c22481e83c119be2637c36777903584284b7f3a6438ba51d054ca93c6306ee61dc8489dc760b1ea41b73600614f9f67549284

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
63a7909acb57d24e661f365f5e3723dd

SHA1
a75b728d80412b4f6a07c6f9e067856974438537

SHA256
82abd67c20eb7b9d75c0b0479bfb82f8e601cd53801859e751f89ee28148d4c9

SHA512
c3999703486be812ac3fd27adde8752beed1a4b2ac18e9c9908f6a830eb40bb1a837bcfbbe0d7be02c9c665d1c080912f11083c40b858831d9a85c7e1671fabc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b5f275692aac28e020017a57493bf170

SHA1
0927fd784ad7f2fb2af827d3870287c60ea7d80e

SHA256
02d683f232b922b4ec312722842811e085ce78bdfe81b82231e9b62ac9d7b70f

SHA512
9c3ef0b57ef306166867049c7b3a720d6f101910343fba3fc8e1cfe859741df30642b2f670d0a6bf8e7f3cf11c2fbea2bbd073561e3cb3299fb877d6de76e06c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
de91e80e875aaac64f178d8ccc2d6193

SHA1
81377f33f784b7d39da413381fde0c9ad2733ee1

SHA256
11344117710c7eb59c01e62a623c1d1fe5a5eaa9f4efd4fd2d7a25a4a407ee62

SHA512
054c2ed74215dd10de4950b99b452c0ac181c40c96dedc66083ddbe92d2692e785f152454cfe4ba13b0baf215f6b7d841f9cf6d25bada6aeb196ba8bf98d6c21

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
dab4371175b0c2c1fee420a9379b9fe2

SHA1
366e7305c81dd58c9d729f855ca1b79fc79d6dd7

SHA256
cfbdb630bcc39644ce57fecaa76866577fcfb380869e3929e56e48c391dc2fe2

SHA512
11d8004c4f4c9a395e35eb903991f82932edbeb84d781b1a4a5166ac6043d7727ee83ba9c89949cb278f1ed45a18c26236e078fb87cf2f99267ee75ad97a3f22

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
4321109b0064dab5d3fdd864f8cd6a17

SHA1
dd857eca6255a33bf95697907c0fd0ede4147f98

SHA256
c929167b2377e125ebd03a2b896384a382e8f6b1f30b0cddae5a3f762f9557d0

SHA512
156edbba717ac415a340988f5bf1a2aa882110b3ebb07862fbf1e2ed90b3cacfde5d415e8359dbe34e077446d58ae9653f3110da4e16c5d74729151694242642

Download Submit
memory/1172-106-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1172-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1172-119-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1172-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1172-112-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1176-690-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1176-259-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1208-284-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1208-171-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1300-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1300-688-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1300-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1352-452-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1352-223-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1760-46-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1760-80-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1760-68-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1760-167-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2228-158-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2228-168-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2260-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2260-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2260-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2260-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2372-208-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2372-320-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/2876-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2876-1-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/2876-6-0x0000000000700000-0x0000000000767000-memory.dmp

Filesize
412KB

Download
memory/2876-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2876-551-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3032-308-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3032-197-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3656-234-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3656-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3656-121-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3656-127-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3720-194-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3720-296-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3928-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3928-682-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4044-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4044-697-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4112-185-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4112-93-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4112-102-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4112-101-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4196-321-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4196-696-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4492-317-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4492-695-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-297-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-692-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5188-256-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5188-689-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/5468-691-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5468-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5576-154-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5576-156-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5576-150-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5576-144-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/5576-143-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/5676-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5676-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download