fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
Size

1.8MB
MD5

e6994272f1e82b56f75849228576f316
SHA1

f552a583607cad5c59b28dceca3c61eb0585fd3b
SHA256

fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177
SHA512

8b51749363d2e4b80d439d5f3d100280e6a7245a888da9837c369a7f50b535275a7f9a0d27d74f3f61c20dc3d4c268fddf4e5935af8b5d68265d5ab5bc6d144d
SSDEEP

49152:SKJ0WR7AFPyyiSruXKpk3WFDL9zxnS+RVlbnXf9gPTTW7H1GXC:SKlBAFPydSS6W6X9lnXRVlbnP9WXW7H/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5092	alg.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
1088	fxssvc.exe
3772	elevation_service.exe
1540	elevation_service.exe
4456	maintenanceservice.exe
3284	msdtc.exe
3324	OSE.EXE
4036	PerceptionSimulationService.exe
4644	perfhost.exe
3404	locator.exe
1584	SensorDataService.exe
4244	snmptrap.exe
2588	spectrum.exe
3592	ssh-agent.exe
1900	TieringEngineService.exe
1628	AgentService.exe
1088	vds.exe
1788	vssvc.exe
4212	wbengine.exe
880	WmiApSrv.exe
2096	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\System32\vds.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\wbengine.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\vssvc.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\spectrum.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6cba2d85c3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\msiexec.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\locator.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\AgentService.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A5E.tmp\goopdateres_fr.dll	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A5E.tmp\goopdateres_gu.dll	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A5E.tmp\goopdateres_fa.dll	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A5E.tmp\goopdateres_pl.dll	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A5E.tmp\goopdateres_ja.dll	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A5E.tmp\goopdateres_sr.dll	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A5E.tmp\goopdateres_lt.dll	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM8A5E.tmp\goopdateres_ca.dll	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb8ec4878ba5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c23418a8ba5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c74c8908ba5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccabc3888ba5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4912c898ba5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000088a4b8878ba5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071a35e898ba5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe
4568	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1328	fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
Token: SeAuditPrivilege	1088	fxssvc.exe
Token: SeRestorePrivilege	1900	TieringEngineService.exe
Token: SeManageVolumePrivilege	1900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1628	AgentService.exe
Token: SeBackupPrivilege	1788	vssvc.exe
Token: SeRestorePrivilege	1788	vssvc.exe
Token: SeAuditPrivilege	1788	vssvc.exe
Token: SeBackupPrivilege	4212	wbengine.exe
Token: SeRestorePrivilege	4212	wbengine.exe
Token: SeSecurityPrivilege	4212	wbengine.exe
Token: 33	2096	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2096	SearchIndexer.exe
Token: SeDebugPrivilege	5092	alg.exe
Token: SeDebugPrivilege	5092	alg.exe
Token: SeDebugPrivilege	5092	alg.exe
Token: SeDebugPrivilege	4568	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 744	2096	SearchIndexer.exe	111
PID 2096 wrote to memory of 744	2096	SearchIndexer.exe	111
PID 2096 wrote to memory of 1628	2096	SearchIndexer.exe	112
PID 2096 wrote to memory of 1628	2096	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe
"C:\Users\Admin\AppData\Local\Temp\fadcdba0af5a3452a58fa8ee324897b5952e33b2ce6914aa8f60e7b5e832c177.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3216

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3772

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1540

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3284

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3324

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1584

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2588

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1564

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1088

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4212

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:744
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3b1e96525b9b9f6f0edd45b2cde564fa

SHA1
4c0bab45a92326a3fa050a425a06ba81ee23127e

SHA256
4e2b2477d7a40c94660c5701f92b6105f87523291260ca71a81715adda0eefa2

SHA512
d53db3c8344a20b306ae7d8248f2e3500e41f500aa7cda68ffe4bfd087fa8e22892d9baf2d441436a5f92148131a4b9f1b8a193bd8db3f0ca5f50b8f56811876

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
e34ffe19373c79004fc5b056298e0214

SHA1
3f8e051341f4571ce531b679ac085cf3b881f2b9

SHA256
985110e2448a62027556433ca4d89401b44ea364e011a6f5b8c9e22e327b00ec

SHA512
e19f43f3f7cbe0dbcd4dd81267e573aff39ed3764cc4c606dcc8fc800a2654837ce18d3478d93b9fb7a2113393652fbf6fd3ce2ef7e79064ffe4a34744dfdc7c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
c7d2b4156a2c4c7e51b5a8a5d65b1c7f

SHA1
0c8fd7129baf2494b45a77effa7b7b5ef634219d

SHA256
b24b441a6dae445c61bb89ddb8f48b9aaa7c63afe7fa7dc64f972d63e70d51d4

SHA512
e060d354637d2f4007774f59db492dc0c1ff4001fe81f2e9059c2aa78e26fd8fde569174d8343bc10505cd02a3a4bafe2906f4ada1c9d64c379bda6b7ea8bcc5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
524c72657ed553124a9f67c9302d8fc1

SHA1
f61bda6a7e3df3cac07fcb6cb6db79b8cb3fee93

SHA256
3a6a123bedc4d4f6c8728d366cecd5b18effe772cd108b43e4e2a920659b5b0f

SHA512
d41ec48e51c23de63e1b81145d898e0cbc5fa140d0b2e8cde2398d9245974a5b4c5fd6b81204fc0125614889143bf5586f2fcf753a618a534e27f3b13d8a37d2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cba685bd58299b54006d227867fc4ad7

SHA1
333f6890a7fbca8266a3eb78ad2e655d1996db54

SHA256
9ef233c336214b7c6fb2e144072bd2ee5e5f6c8df4d6fa870fe67e6a591f5a94

SHA512
5435ac4768edf9b1fe91813690b61d8c705eb30c5c441cc8b3840a2d828a88532c0c8a05e9b154ef55bfef8b3fcb6ebaefcb7c55cdcae9e3da81c2b831e5481d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
c2a8052c28221a495e9cab456b7cf981

SHA1
667962bdcc3dfe3bb9ee55a3c929aeff2b473c54

SHA256
0ef278169f70700cc526140a02dd1d5d1bcc402400dd61303237bac1e7b16a0e

SHA512
41e6a984de5b5157363f915a5ebb149cc5c6de0b028ec21784501b4446c374427ea4ed83d538ee9a041dd31b3b9b960d0ec6d82b8fcd197d4f3f56a844e6d664

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
e25a8f51c55a9039e3c6cc1bdbb0d025

SHA1
b2f8d15db6e0b08b14eb022bd2991e433981729e

SHA256
4a5ae2b24ea486fd8b3c5205343330d1698599fed089f64dc99c2c5ac7e474cf

SHA512
64cf8f7536c629e9bd6c72b217693af78c4c941fa18752659704910f95a85fb38714c2299204bd4c6e30e632b07b3b84cfe0212c0802d23d13d475f47d696287

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
09253830d52bf89f9b6410e3ee461244

SHA1
f9f68ff3a0957aa195b46bd06e353490bf9db370

SHA256
808f5483702d7360623c72f1e39b8d9f4dee14b7e401206db2b3d315f4174e89

SHA512
d7cd057556c450997e82972c775d208859f8f8b3075de471f6025599a502f1d6ef7901c86883947a1c31b30cae65feca3768d3d7cb960219c998fa690c95712d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
474b74dfaae553dcc42d45b93dd97c7c

SHA1
bd7fb11732e1d403313dd1b137684b5fed459fa6

SHA256
e3259890cb4296a49fcefde4b6fb4efd0ca3dc94c0bb1491b13e53830447ae1c

SHA512
5abbb16e594a6bc50316a4044ecd4a7dab86bb86cb7a6fffd26acd6b0529deaf792932380c198c17e0636306a49fe8502ca00592683ee8b83dd186f28287f9f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ebd80f652f1d425f6331164354a1d399

SHA1
577374b03ff0845677440f17275ac6fdb044af2c

SHA256
0160cfbb5452397f35ead542d2b154b1e3519d12bdfca702ca800b4a0c9ef3fe

SHA512
8f75dad972b5455b80540c024adba451cf8955ceef52614b9fa4887632f28edfe3b496e0fb8f90c547e6f4c4d44641ed9b5a3c61d8adb02ce915274fbbe4ae26

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7bfb6dca6f4ffd7965c2026dd3a6e314

SHA1
ad67216017d1019383317f96d31ba149e6818542

SHA256
3d5d87f6147698dc1f66ce19b2eb8c48e7d970b2e43fa74c169b6a91d06ff4c2

SHA512
a4944791ab6a8380ba9a49c71563b40b453001edbfb2a9342b33398278e0f078e371ede5b6fb4692b800d66d91dc5a0c9bd79d6c86596d22da5012d9593af89b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9c1aaa32203260183f4e340cb29e0ca5

SHA1
d382695738d979a17cc169a9f0c6d865d1799d20

SHA256
1b0e210c8a7850beea0ec7f7537219b6bf0d85b2d34e672e732457fa26134924

SHA512
d12f3de3064063fcbc12e57be886624d9e57ac964f89231f0c62c282f75520203d23f9078eceb6cd6884ae8bf1ebb80186ed3bac96ad13bb7beead8ef4bf20dc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
40693424e1f8fda87784984a140cb911

SHA1
d4abb4a6e730dc49909c58caee6a9e5c2b7a1c5d

SHA256
9d94ea8cf3da104237d821c6ac6cc0504e8b8c3231589f23c657f53795b5b59c

SHA512
bfdd8b8546e40ab3dafc2906264d893ba1c642ab0fde96239f7f0b57f3a95714989392a0b88896024af6a10f6a62a989b2d65ae86cb13307e37247bee73ad35e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
633c4871e5d1eaf91568a610ac8ca79c

SHA1
a136a3af7ca4999cfbde8ca75ca7674da3f52f67

SHA256
a0e6d6c103bdf318d578ebed220ecb2dbf9774e007b38fdbb500d01a2d4bfede

SHA512
b0740b9772c3315862f1056b4b6f41dc119fd82b794194a9b9d278c027a3900fa7381a7e7d4cf0f1329bf33725d15d7776013a9fa429ca0b3d832541567626f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
0ec0a9e3f2f9c13ee959cf3da93a31df

SHA1
47de6b481d5e641a6aa20f557620f022a03227ff

SHA256
c346e48b96780fea545811aad74c041bd9ff8b80f541ca9bef0d54605ac4a4e1

SHA512
b7003b5f4f0d1484f98659983d2d24db0b34eb1aa42b038b92fae198f909067bb0fffb18428f3cfc008ac2600764cb72e5af4befe7ae0677690681b12da7f845

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
abf7c2b0563c5b4dbaebda9b37b5cfc1

SHA1
9fe14f643adfdb083a0ce9a80fd45d8b6152d490

SHA256
c6ecd3ef74835b64f96ae128fb4e2a80706f1604b29ad51e69c150fe64d6a3bf

SHA512
eee0546938d5698a8e34da279212ea720c9ae6954112141bff69d3f1faec80f11cd1bdc865bdf5c2e3dca911ac87ee45f583d9631ca79d374331dd7ad10b6ef8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bc317c1f9407029ad8c88d4fcd0f5f72

SHA1
0e9eff092ac222c6cd5137871a05264c91988761

SHA256
8e8d897e6aa388fe3896b1f0f2fdfab074ff6077957d77c1de05c93ee3bd9ce3

SHA512
61f2933c7fd1ee9010a9d5a80adc1c1042d5c5350bdcf8be906e905d2dbbd6282d1acbf12cb051129519ab0705d1d773a984d8688beec4a1f52a2eba06a05b05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b2b325edca99249bef93686ebd854c02

SHA1
819c059f43c47365321a364f85a1d12ce33a5375

SHA256
bad81e618b5c3555c116c1cb48c9ec058cead1c7254caf97dadec12ef3fdef3b

SHA512
1af805e46162974554d2d4e3938a535ae245f57eb402b924e1d6a3c42114bf333201d5446b370084cbbe0e194acc3efc007aceb7c911aadf5b7b53af0f4a019c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
94a20ff4ae6ce9c7c3e89a79aad2bc6c

SHA1
c284537204417afa3bbb231541ad6470a1113e6d

SHA256
03cc5e828ffc4d4ac22a82a97aeacc5ef0dfecaebf0e6c069a56da3514946fc1

SHA512
805e56a1a61783cf3ef703afdf2c1e30551ce7be0c93c8624cfcf5c1e76d8217681bb42b967973c64ff889a291521ec02309d1b251647cf21c6360c188a75759

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a2f43b31d53afc6dee4c5d49bc069d08

SHA1
b15168b262b471b058dede26310465cd4b3db5d1

SHA256
f44293a955eeca0f3f438d04df3634f785d357a652fcc4d6aa80beed3c0723b3

SHA512
0f71283896871a66f8c9993ac8b9dd081506022571d997cf36458df6ad96a4d62867673e342ece2010b3c186a19c797fcfed8b41336f113f1119bc69f6286d66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
25c4817670b921aace04c0f6de698de8

SHA1
86599a0758ae76ece819653bc31fa178d95ceea7

SHA256
4c0ad663a5fd4bd2801e04021d8fc43f687f9130b60fb5d772de80f3d434fefa

SHA512
b62ae0db24b50fa839824c2df1178250c7ac394d21aad2cc386977184ce3fceb4d0d0baccff8ccb93cf60375188e03ae62895d07e6463a57ef4dc3aa8481a768

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
f570b1fe7e2abca3f3413e931bb7399e

SHA1
8b168026993a54adb7805d205c8eee09388ddf65

SHA256
92469080793714796c6881ce461f48d15d7e7bdd2248a65e75b8f29d2fa857f7

SHA512
287605948059502dad8479f30e4b1313f270297f84ca12594dae2fde31c5b3e5279ea4ac362327082035ed58aa7f8d850edc9f303e08375178d0d70492caf821

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
765768223ce19d9d1c92b562e331f57a

SHA1
302d01efd43a4f9a82e3fb55117fe9989518bad9

SHA256
4c5b3ef49693aaf08eb7dec023a7feed245eb718c306af7ca6d5866bd5594e7f

SHA512
72098e10e2b58adf3160ac51227ff399524e8b7223a466056bb9d4f8585f7ae24f9e604472e128e506cacf101a89fc572bd41c4c10c8578e0ccde75862714ac3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
155be9c7b8e5248b5be1a98200abde7e

SHA1
5f6ddd53dbf198312c1f74bbc0f520166f5c7454

SHA256
a16b8ca1e8e2288e510bf9389c8d20cb2eba719973450c36ec8cdea2c8c979d6

SHA512
8df23c9ace03da0536fc00dc89a5c7184299683e8fcbe2bce69bc62f9dc996c85900847f6a549a856f155b1885cfbeaf6b1740b9fb823866552a8a4b21897f20

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
bb8ed072f91f375e69b12fdbbd539393

SHA1
e66745d131b132c18a292fe2a9ad8403591535a9

SHA256
504b2dd0b0c71c994eb8a73df171dad9170a32cafb8e5105fc764f61b6e38c4c

SHA512
1c1c6ee566847349798e42a325e495fdf34b1d710c1f6b00787a73650fe8577e6955f2e5f54eafaefcce54b8a0c8e508308adb6f31ede1cd6c88394ed94061da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
ba28a4a79967bc425297bdca49688201

SHA1
f8336010be51109b4592de7355e1dbfb99dec22e

SHA256
4f2934c13834c473059aff236eff420aa8ed7187b2f947473c2d318a49a6916c

SHA512
0f0c62bf784da0b6974b912fac3f17920db5a758047a01cc3237832234433d1ee13bac501ef796588f4f275a68d1fdddee0fbe5e6c83f4d26a3e3f996daf1c90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
5b533008616b5d30ae293b9a373c94ae

SHA1
23d0f8a2f90b586a5988334c905154b6f68121a3

SHA256
bbd5f79709b8969119cf0be8b9542aa14dded88a64106c1023ea22175d97495c

SHA512
a1547b576921f5ea92030d0313ba8d09ae518594f6658d64b6f691bd3db843097b74b453877a5b9ab93f789cdb1cc6d7a375a8298f6511cfb05ec91ddffb597a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
e63182ff1397f7757021f73fdf53713a

SHA1
09f44cf4a8b13639e6f9aaad8799faecfa19f424

SHA256
906fde4410ea7c2ccf091f5c08d431f3eac1bb5d498f8e430df8d686fbf25c3c

SHA512
016ea8a5f7cb889bafd0a55997583fc86d825c9436f095d757e2fdc4055deeeb0a2d20924f397118158d086875bfc992dd9674e3eaa9f7ef73d2010d2b7e3d1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
aad22e5977208d4f9f14fc1f2be40b52

SHA1
e87eb73c4033ef9879dd777c43451a96e3cb2a0a

SHA256
48e34aaaf4173b0a061a0a9e433e7bf878e01dc69b77a5d7e77315ac90b7eb51

SHA512
5972b78e1ae569fdfc76e633c102bbd0a21a677e2de2a68fc28e153acb15ef761135e914ea2e36986941795cc152a4742bbade265bd65a7eb46cc5564db2d45f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
80665eb2454898106871e29fe2eb0131

SHA1
eebd281b8a31fc6db3455d7c4d5b12593bdcbc45

SHA256
ac8fa536bf2c2191c3edff60cfca397492cb042d7aa8eb47c193f48478783215

SHA512
a997dfd1886c3fec1907e9641df075813b8f2dc21381ce678100b5119ff46d3fe95b55a28cfd99bb2fd7d6a9995133ad26f4c76978f01951dab7e6a98e347454

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
cb1bde438d9536b9b40f347b3b2dd254

SHA1
39cfea5b85a1ec05969b20d42630bb6238bc54db

SHA256
c73b2f91fd17f8f8829a2b89bba7701bdbfb4adbb71864daec3592b7a66e73d5

SHA512
c49b20cc8f6c3a3a1e81dd6fc9d6f2a4ea96d04e3f7b8181075e34b3b1e47da5ff3f2d2fba4036b3107c8f7830c3c8d0a71f27c9401f8175bb892ba7ccda5d2c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
936fe270098e39ffb4c0caeb004f5c53

SHA1
6bb19da4d787e753619d764328cd6bfb0129e7d3

SHA256
fe7870eabd607d915f4dada00d9377a1b260707d2d778f2ee3e449d422addda6

SHA512
e1acd60e19e963e1cf6003a37cd7f5827f29bef3fe49e9a1133162e9697af0336a380434449a10875dbf94de01fbbd890250ecc222e3b0099da8da3083b3b716

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
3dca0a8bc786f5baed92e279f30ca662

SHA1
688e07ba4e75ce4eb58ef8340f18296f947f8ea4

SHA256
f6c72517c4375d451c56a52c3be2ddd99eebc6762f5ec8af4b4c011eb797c6f6

SHA512
99b30d0b6c0c4b4b342d9b4f8e5c569e6c7294c9704e285c7206a56cf85760d16c0d644af5e28ff2ca01ae1e4a0f4a0bf5a419c7652041dc4a2a4d9cad837076

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
07ed4d96e41355597f88718550dbb20c

SHA1
ee0d006cf72291b86459b5b61f4d90ba51c26c41

SHA256
4cd4cd529522f5ef40a019a42da11cf17e3cd288fffa8746d7deb2c9960a5c82

SHA512
e977f3b872e82c7ff41cf8d2538cff70285bf9adfd53b598948ea81f53a33c35998a9afcf0a495cfdd7eeb3c9a8fdc4708d040ba418cfc3e6b5415a8009a269d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
a21f16135d143ccae01f70e3e14d1dc6

SHA1
9d3d09b6567b240cb6d1c2e2e9ef807566eb98fc

SHA256
554beb32f631595d5db1d16ae984491608d01fc1a006a41371e5bfe55bc077d8

SHA512
3e7d4f8e7e3a31ee4048f7589a3b16169045a026a316981e7cfe1b48b1d398163d4aa45cf29562abc5fa84aa6eb46844581d908e12e8558320d445b75c117675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
4f036ca975d47a4a4f52c6faeb9e5b5b

SHA1
66998508f6393eeea18ba2084ae8c5650cd9fa5e

SHA256
e8b0e612d89e1d6229e6f2aff694a99f83c53872989dc7a662cb986c03a45bac

SHA512
a32e0c5adcb4afa6ee147b60c1b61db7e148e476ba175bf9159c002a426f7e722fb352d568f3a6f42b234a871c36e21a0069e53e7130c2a6ff5a85af136550b8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dfd361c083983787cd6de1fdb9f967d3

SHA1
cc8965bf0b219b7bbfae0f82db4143420e39fab1

SHA256
aab7901949f8857417a8356c6abc72a1be4612137e10445328f1a2e187c6388a

SHA512
37c944a4545ebc786df1c21ab3af4ed0129b95ae0f3ae7e1c6b19efcf1eb2e12f6f4d2903e158615b9947675db41302dbeb55ce030ac91ed29e1f94acea2646a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
35df5320c18f8681fdc00b7f681cb6cc

SHA1
96b1b57d5110ab2524da522a1ca43fdf127efd3e

SHA256
601cfb3d52d5a6a498fd0050feab3ac20efec0aa71d8c0d9e6a8b627d705c67a

SHA512
01b74a6817f11e778f85fd2eeec08e66cd711792193063cd0e86815d121f92fe4d3b9930934a45f39457b86414cfe45bcb2a72716d3530a04ec53eba162a3f77

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
4cf8505be80b9197051247c0e608e323

SHA1
f1902f717e70d77118a7aad82a949c27bfcc4261

SHA256
6849baca4000d1676ae5110ff5ad078c4ce216e97559b94e42ae94cffa9cdae6

SHA512
92682efa07b5fac64a1177b7cfb29b7f20405375ad58f38117963c92247eee88a35f21905c8c6f49be6bf8229ffb0852178eeee12ea15c8c801d5670c372732d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e08d5b11766a0159cdb6da0bc4944703

SHA1
a1ba36c34b087cc712054f1dbd72f6635dad4e78

SHA256
68fb513c2586e16415a4344768354ad209242a12304b028a58cbae5d0d30836e

SHA512
6c8fcf688e2fe84a86e0c4acec75d8f08693a350752634a248b7a16b26d40aaf9dec34f17f17a42610b957b8a2133f03bf6612d493bd1e106d90a399e937b71b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
fdd14fa996e17e1dab333ae4ccf8cb81

SHA1
ecb3f413558f49b6ba76ac9bc66235ffa37217f4

SHA256
d71190066a7ce8dbe85c6bfa8c1d49b0eda035e9b8639256de36d4bf45d37bcd

SHA512
a4688b734176caeba30fcf23d2612a9e01de936f9233335bc691dbfe00d661ffeac43584915fdd5963761b4e8ed29cee251b7bd700aa5b6517e3fe5c177db4ae

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
be327bd2bd89c625be3b5afa786c8d95

SHA1
91e164a858ff962d777c3c7aa07a732f4f63fe08

SHA256
d8c04e070ac23a96c1cb1192ccea0b5933a6161896ad748713864b7fd77358ae

SHA512
cb54aa90160f75f1bdc9a6e00414511fe8cc8347b9d54269652d54884b0df6c461ef42bf092a1c3f1bc7caa8209bc5517703874d893ef12e429af21af163780b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
46f557d7167c108d714d0d89078a2127

SHA1
8c546e2d9e502620e63c78bea452b07526539dcd

SHA256
da710374b1732ed115e4fd217647c14208fe47f1f7edcf81d1b919f57866c65c

SHA512
2a58f87a407e0bacefef74e3e0b7bfa0cfcc7c6963299a9084d67b0dc862d8aa8d5e60d1459bc43b8d64ddb3e72325d422c3261da446908c3b2379a508d71f14

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
d95caba8d50af11ea8fbcc6a0186a3b6

SHA1
eb88de9f74d8d24649a7643a4ca510ab8b6968b9

SHA256
b9e5f7746dc9a35c30e4eab00814012a25806cca212618e5143cd0c0a1c31530

SHA512
a053d110ab166e8ad2b90c4e9cbffa668af9aaed4685fab9621d1836fb88e8b44ad1c8403913be34168da6cf8160618c9c483b876b35fd7a5c4b9ad76d724c8d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
31253981ad1f9fe9f6c62fe7180e6dad

SHA1
16cc90b4421263149d201a2d2ae7de144f86bce2

SHA256
ac7b4898ce17c8016f0601b9c19fa5242db51541c7b30482fa95d111b3371731

SHA512
afe5c9c055375e2dc16382db44bd43ffabfd177e0f1a86c30e37f5b198d8e00c21de2b94e9bfbb86f32a0b55eb60fd43a366eb326d9d2d9c18628340c49d6b99

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
23fbd688077da583ee4de9ad8bdb5b36

SHA1
6920c329090fe94749f4781e21aa02eaaff7ca5d

SHA256
c1bd44ecc3ce2d1a9b567233b4f0a9c9e2868e3a8fc326ec633f47fa38c2e264

SHA512
01836691640fa6ab1ba5f622d4da54448fa34bd340d2ac3947c9688e12ad0dc5d5719de377f955eaa31613fa8714bf5fd40059033cca0e319876b198249c919d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6bc91fb6fe4a457b8138119a64a844f2

SHA1
fe938a0befc55b0a6dce7cc1ef7613b19a6a2a17

SHA256
1cd88ecb6444eaf8293feb7f983f283e659fa466972cf2686e96cefcf01f73bf

SHA512
1355f876e2fef64655878e16089e09f76bde9178d65238f41c7034867150eceb6f06be3416a8075bf905bb9898ae5470efd6dbcd86583690851217336f3e8ca1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5e567a4ded594edccb3e637c5b98c003

SHA1
bc3e3ad679cc32af02b0606a3ab5e6295b181098

SHA256
c6d3e0b0827e7297b797748749a9cd1f99326ac7ca447344ab72a92b88ab3af2

SHA512
c1ed0571b9b6d9f427ba8112774fee357b3c6cf1f35af91bda802d67d05e83c7aab55c509c61030c219ea68bdb1c4b3c67ce54a872b2c96ab6c39df634bf38e0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
48733e33c771b41d8c924b52876da63c

SHA1
da8e0d9a37f4069013b614297a017592913a1a28

SHA256
5260ab96435c3326da4a41a390e2930fab8c4831433784144b742de75216c217

SHA512
427bbdf0ad04d00614f748620adb9531cdcaa4d20db8335073dbc7d962538ee9534f4c409cd393a3d0bbf69cdbc1352a5fe145e86327674b76d6dff25d48a7b3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e4ae19fe8a3bb4c632f3afecda3410f4

SHA1
7cafdd0ab0d1b2c4c967ff68ab6100f924764542

SHA256
ad23bec97818d054f38d562405d131466d1a7f7c2bef0e722d4304b17ca07b74

SHA512
e1a3f22c81c6d7fb773e4282de2ec7ff025be99f1b46981d8eb4ef45668b2f6c855a1ae487e22466637d5cdc995f818e68db770aa48b65e44424c1e950a6ac17

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
df28ca8308b497970c27dc4790973751

SHA1
af8b3da94981e14cfa0159e30beb22929888c7c3

SHA256
7adf7576b3b53b8e8c13d7d38b4980797c6aea958b0df3e5a6318bef52adfb6f

SHA512
40e22940582cfa815fb285f6a55470d3739055f38780255e2e8120224219d16905794bf0741310a77cbaac5c70d631463d3c4d4284c4e12c104e7b6f50abec35

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
7f24790a31582ace9d00aec6947f8ea7

SHA1
5f6353a27c405fc1cd71bf2504336b4b5ea3de61

SHA256
c92e6bf846f3d2c21ba0efa675a01d789cfb3f5e2d2965299d2a91b9c2e6f2ae

SHA512
ca37315b2be6f1d57991f6cf8cf7bed7cc3ca3fa4915c9e41e8047eab03634455707fefd43f485074a387d6fd3d6a77839a8819b4af8a5b691692542415668de

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
e04bd504ac6df45ff24f867e7d449ee0

SHA1
37cbbf25a68ff47329e7705a678fe2fc1d620d68

SHA256
ecedfeb20eafa9faf191667a6402fa6f8531b091cf6bc0b832f37484c0100dc2

SHA512
945197b2f53d4cfc4bae0d7a72166f637289912e62c9e950303742105c01f4a371767949e5393303f58e125dec133233e61a5989354d29ad133a65c77cfe5d8d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4de392cb6dde2a457e157ab82fcdd55f

SHA1
50e0430d346264a83d715aace5fadd0c00f16c55

SHA256
9deb21ec64fc2bc05c27a665a80426be2c7cdd1b51a2694ec2bc1bc643c70487

SHA512
44a6c3450f25fc70b284388ebf9b083e23ace4bec899a270554ca04a0748f5e4bf618ed4daa68920bd073fd0b91d8d6f938718a0110ac5350dd067d130ef7fe1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
fe6556e1e93f909fae56bef940a100d2

SHA1
7606ba72f5db12caee65ba1ed75ac80fd7dc31e2

SHA256
9837f17fa390bc483666240059330477fc418c4b400a8705932a9840d0ddb798

SHA512
72c724baa3aa1bbebf1f18e5d3ed02cad558d2dbe6e58b80ab5f8678d316b46f7a716c11f03d594714f036b37e6ec0d8875479e6d707c6a3e6a65446f545f279

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6a29020cde327967d2f9fa26a757e92d

SHA1
2c06bbd7e2454aac2b3aa1b02d23bf7d92de7652

SHA256
cd5780660e9f8acc506653a402338c33b200a181da70d68d556095aa10cf915a

SHA512
17edac9c9e8098b7c6034d91e8f18429042cb38a28e4ec79be976ee805c4d15a4bf85ecf62269a1984f085fd77f3ecb4eafa6ef6d73f7c9319676e442a164e18

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b6b759c06fedc5d73f8a67763c38b37a

SHA1
90928c5325dc35da4120727a5a84bf397fd544f7

SHA256
ec0a3ffd052f97e270b740418066bc81ab577ce6f8e2f98ee749479fbbf5ee2e

SHA512
794ac63da8b3a794dbbbf35859d593e6d4ce45c26e267b538fa65d4f3f79cc63306e303c9dc22872711c3812061ae831113d41566f847210ff637f012e6161a0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
b1c4a01ded0eec05cdd80713d1195ab6

SHA1
19666b9e8f859d486ee21af66d8d54da3ead70ac

SHA256
b3553377ef97d01eca9f76faafa152957b4df3282ff52a7269e2281af2253ab9

SHA512
ba6aad72c0388abc782d99367077928359a49bfa7f16e6a0f0709ebb0bcef00ea54b09d6ba290472ac7dabdce4e095a7936e27f8c3596eaa707acee751b1079a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ead15d0dac78a983f00450fed79f5fa1

SHA1
57e728194210b4c138fc679adc636e3618abdba8

SHA256
8289ea241b4336b04ad08c3b19c5d7852263cc6f81aa8f2ccd9274b29cdd5125

SHA512
12a4683d5bd322b75a57a40dde9b37877c5a4493f7e252b648b581c62aed68f03121456dbd37b0d96466a7cda0bca64a0f511324d1b4b885466d21f1a676e1d2

Download Submit
memory/880-338-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/880-743-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1088-111-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1088-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1088-119-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1088-704-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1088-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1088-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1088-105-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1328-6-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1328-1-0x0000000000640000-0x00000000006A7000-memory.dmp

Filesize
412KB

Download
memory/1328-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-183-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1328-468-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1540-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1540-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1540-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1540-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1584-352-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1584-685-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1584-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1628-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1628-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1788-705-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1788-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1900-265-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/1900-703-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/2096-744-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2096-353-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2588-664-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2588-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3284-158-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3284-157-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3284-276-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3324-299-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3324-180-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/3404-337-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3404-206-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/3592-254-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3592-702-0x0000000140000000-0x00000001401B1000-memory.dmp

Filesize
1.7MB

Download
memory/3772-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3772-121-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3772-126-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/3772-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4036-303-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4036-184-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/4212-742-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4212-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4244-609-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4244-237-0x0000000140000000-0x0000000140145000-memory.dmp

Filesize
1.3MB

Download
memory/4456-155-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4456-153-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4456-148-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4456-150-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/4456-142-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/4568-75-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4568-64-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4568-43-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4644-321-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/4644-195-0x0000000000400000-0x0000000000546000-memory.dmp

Filesize
1.3MB

Download
memory/5092-205-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/5092-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5092-20-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/5092-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download