d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 15:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
Size

1.8MB
MD5

6eb1e36ef99c3438b3bf5099066a01e3
SHA1

f41efcb6cd0f29d2a92273b68b479ff76900d250
SHA256

d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff
SHA512

eb629ff47d5798e9e61baf195717bf2bf6e9955d64395cbaf0ebd2d138ac1ebf8dff1a933b8eaeab4626d36fddb87be9a731c6033faf6b8cdac570ef0b8c63e7
SSDEEP

49152:bKJ0WR7AFPyyiSruXKpk3WFDL9zxnStgDUYmvFur31yAipQCtXxc0H:bKlBAFPydSS6W6X9ln9U7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1556	alg.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
3800	fxssvc.exe
3828	elevation_service.exe
1068	elevation_service.exe
808	maintenanceservice.exe
2256	msdtc.exe
4072	OSE.EXE
1368	PerceptionSimulationService.exe
5012	perfhost.exe
4364	locator.exe
528	SensorDataService.exe
888	snmptrap.exe
4292	spectrum.exe
3604	ssh-agent.exe
3900	TieringEngineService.exe
2092	AgentService.exe
3964	vds.exe
4092	vssvc.exe
4248	wbengine.exe
3892	WmiApSrv.exe
1916	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\337e9d19c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\locator.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\System32\vds.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe

Drops file in Program Files directory 64 IoCs

Processes:

d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\GoogleUpdateSetup.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\goopdateres_ur.dll	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\goopdateres_uk.dll	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\GoogleUpdate.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\goopdateres_ru.dll	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\goopdateres_pl.dll	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\goopdateres_nl.dll	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\goopdateres_da.dll	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\GoogleCrashHandler64.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5890.tmp\goopdateres_tr.dll	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

msdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exed414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000031a2d048f0adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ade4d649f0adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3ad7e49f0adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000053eb3b49f0adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000915d8f49f0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d011149f0adda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5744549f0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000264c5d49f0adda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3600	d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
Token: SeAuditPrivilege	3800	fxssvc.exe
Token: SeRestorePrivilege	3900	TieringEngineService.exe
Token: SeManageVolumePrivilege	3900	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2092	AgentService.exe
Token: SeBackupPrivilege	4092	vssvc.exe
Token: SeRestorePrivilege	4092	vssvc.exe
Token: SeAuditPrivilege	4092	vssvc.exe
Token: SeBackupPrivilege	4248	wbengine.exe
Token: SeRestorePrivilege	4248	wbengine.exe
Token: SeSecurityPrivilege	4248	wbengine.exe
Token: 33	1916	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1916	SearchIndexer.exe
Token: SeDebugPrivilege	1556	alg.exe
Token: SeDebugPrivilege	1556	alg.exe
Token: SeDebugPrivilege	1556	alg.exe
Token: SeDebugPrivilege	4764	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 1916 wrote to memory of 5832	1916	SearchIndexer.exe	SearchProtocolHost.exe
PID 1916 wrote to memory of 5832	1916	SearchIndexer.exe	SearchProtocolHost.exe
PID 1916 wrote to memory of 5900	1916	SearchIndexer.exe	SearchFilterHost.exe
PID 1916 wrote to memory of 5900	1916	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe
"C:\Users\Admin\AppData\Local\Temp\d414cb504bca971a46d18ddf65cc5baba8358bed933475dddb0660aefd37edff.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:808

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2256

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1368

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:888

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3132

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3900

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2092

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5832

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
05605bdf31c6f59cf91177ec0ecb0d9d

SHA1
fae1eb2c458ab37d69125713222bf9240c0c6ad6

SHA256
af07b3107229be931237d0c2f9ee602ba352f94cb2d80cd90f533b1e47dec03b

SHA512
5ea530fb83884e362cae0c14a9a77115fa4ee94e3ee5cc1defdb1bb2572b61a246b07f72769c3ccbcc90fb50ece5bc5b2dc2da12ac43f7c35ca96f97d1b2f8b0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
bba6bcd72410d5e2b21167f65815e518

SHA1
fa1e627c4bbe499d9e9ce7b55dab19d4480e3605

SHA256
f420b0654f88fea2ef480b80ef49558c07d9e11231f9c657190663841321b550

SHA512
df79b2b2a0e3dc12b35d2817c758602fa9549ac89161282f29aeafe36e83cbbe989b7b4f0223215a45f4c8161e09e19578d8e839f5c9cf4ae396678d691aeca6

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
27b274b0ce9ee43c6a92653cb7378b2e

SHA1
bb61ab8dcf7162982772cc6d33777fcb8f12d3d9

SHA256
8161f7faa9467cf8238e69247645c67301de34704a23ba7e047c6ace4f2ed33b

SHA512
02147cffebb79b67a5d268409681a1705c46b03cd5922818a7c1fe9429305292fd48135f40c3861edd20f6159688872ead268f790187efa24ca5d3ff955d16aa

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
3f2113d37ca7e3be0787ca23a2e2bba9

SHA1
6003e5529f3f78ff4edff1874f31db1fea7d9ffb

SHA256
770ab6a9ed5f6d9de13f17c98b1a6a0d40a3690c532c3c1895631a2f6e312fbd

SHA512
a198639b147805edbc88fac11592441aa150cfef47fdc5783b239f670544af5d6c598cb73b08c8020b2e471d5b8df913bbfd0420bea1cd0718aa4a9ac9a54d82

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
9068c5866697327a5523cd82a2013f35

SHA1
1d9792a0ff3f4d0d7d4ab2575d25662c9af914d8

SHA256
204bd0aa5c9d5916fb2ebc04c7246e50abc3636b9a768d554de2bd8fa92b7fd0

SHA512
0f34e7543f065fb7492aed38711b461c0a8055504ab37073b198e32f30cbaef98f5705b354b7d0078ae4b24ec6379ea9d7c1a0c430bc5f2b8a6cb3e5e2ae220d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.4MB

MD5
9429323afd79793eb58034895c9ad756

SHA1
fe6f26b5b850468c83d1d901099ebeb47f1f5761

SHA256
e9db8289adbbc378c1f9ba2bf8ac03c3e42413108848321fc6bda7c7cd8fa6b6

SHA512
8c8053173ffa42c73a83eab37a09a9bc905fa9120b47d1640f458a6d359b93fa43a387ab0c55d73d43984e1a14f2548c2796e0d9e3c7591fc92de85656cec022

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
999619ce3ecd129cf3b9a7b6c582aa14

SHA1
b6fff73d5f8e90094db60c57f2049133930630ba

SHA256
47ba5ebd4dc0379d7a75284d43d908ca8257c4fb5060875a7cec399d5d952d7c

SHA512
5ba2678946bd2a5fe1446d63f5e4970f7f3f8bb14332881950bab9f738d590ec1cd05651f1007fcd45d01b4d1e98bdcdac2f36471550a552b89ed4c321132152

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
4921b30c3adb6b97482a2a093fc5cf9d

SHA1
f8bdc59379dc6b474e3b5ec50d9db6acc0d62f83

SHA256
89f1d419dab6b242bad79d73bced1252bf76f976e73a0ba0c02c80ce3c2a096e

SHA512
11ffbbc757a2f0e021a1616f281c17276e1576d18211469ad9a39d0c98a8b76318d096d2abe61904f76742064841085e791f75c601d906cab78b99aaf17f7919

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
44cbd1e19dc5cb41366ce98bed7ccbf0

SHA1
38f33c47c6b1aba483acb94d56d655f541b71f42

SHA256
1ff36f1b0d730ed726a3822621023cfb4d74616196125191f2740ff77c0ffdab

SHA512
41be9cdc1d27f246f9987291aa10fdf997c422f6a8d9d0d7199e40cb046ea74ed769d9e81c1ca7247d97c24cfdb2c7ec75cf353192797dae1d8f9ef0d67ebb68

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
66257d16e5db4ec9c1ca7198074a109a

SHA1
65787db03bad5dbee2d8d4bbc8f8a0e190ce6ba5

SHA256
1d566f3d137dc8de7f8e62b7f3a7a60f81eeec32a4f4d3b0773edc766c8ac615

SHA512
a28c37110dcefb3440ec2b714633be40f898c677db3254e4c97ab55d4b12c94085177f07cf0f8b1c60d503d35d936a763aafdd818700298516a86bd14ae5ebd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3a3eab3f863e8424483ef4ae83ae1536

SHA1
60aeeb96b4f637fe7c2c977db5dbc031cbd1e441

SHA256
3c2c30eb890f67c1efba1a0df1bf62c00e11db8845408a1c3013f291609be9ed

SHA512
bd69ee8d4bceabba20c2a76eab8d9426ed8be1090e5656dd899a4f87728f7dcd8430485b4e96fe8cceb1e08eb3dfbd8d1995af8cbd6881909e0e1213b2ccb4e5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
ce6444fa203ab4fea9c638d4a6979b8a

SHA1
6ff0ebfb2a91f4c31c3f5406404ebdd0fa4b3c61

SHA256
5845dce2c0299478ec8aa3931deec6e3b5737c8625b85da71694e562ce87370f

SHA512
f06784e6fbc04b4cd04ac5c8b16920f47837749ccac87130fdfc0f03b7d27ff31d7f0316e4014a9bff176190a666d69667c679526224d9b57344f1deffd7ebaf

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
7c6d7d41863824e8d32f4c33fc1b31f2

SHA1
01705df8da2416a9760e7b9363699a50085c306c

SHA256
b0518bdb535fdce5007843ba9d5655759c78990cc2893a981c527e0844307e61

SHA512
d1c9f27d7a6cdb3cb8a4bf21ee70d919df2be4fbe41161b0e0156cfd92f77944eed32eeea239fcb62b7f5e01b2b537300864111858d65e07d4806ecd2f5bc722

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
9ffeae71e79f99c8f33debb3fcf21f8a

SHA1
e31d42c1121fd4c37785908bd51d7d1a8408ae18

SHA256
d05a07294f73c80c8290782122b84fa6add0d98cf3891dcf796c8416ce503098

SHA512
dbe497bed1b1d8ec05dba81a500a3cfa30fe330470e1f95698297a706afae12b884c4b810b8796d14519591c0265b47f9b21e01cedae1b24e77bf00332d83d5e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
7ddd06a5e97fb732925cb7fa87cb5551

SHA1
88a0c5c3c6ee6ae1c0b523e5a07cf6ba11cae997

SHA256
ae83114b2b3b088347d4afd23e22d61605a651831b9667006830098c0667005d

SHA512
08fb827192476ab8418b35f768d5d41bf163f621a7108eb1cb55e46b5b543d05284b5eb7e691a99bf0b510c732261d56175ce78e318d8b63390827b41bb92cc1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
Filesize
5.4MB

MD5
cb6c2565f8b98520c31f43276f9f3819

SHA1
11219140df7c2414ed76da232a956b6dc3c9ce8b

SHA256
3a6c6ecbdee1ae9c4bb7808e6658a4d8b75ca1777d55ccacd9c4f68774e5d1a9

SHA512
0f04eb94fd1aa6e2eac8f4b670a4e06e7a85691959e57585fdcc0dcf57609556c5677953925e429bad774efa96ad93d57dd4f6f7d3b4c36ebf99e92b18761e9b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe
Filesize
2.0MB

MD5
6811b56f7de63b9ee66bcaddf07aebef

SHA1
3d0e2324b44d1f32028d84e1c2d37cdcbe23234f

SHA256
9c2a6bf64eb1ac21bf47aa61f8ce1cbe8332e004c7ccf381e16d84cc66785555

SHA512
ffbb586e02f74bdb31f8fc906c3e5cfba6066ce9185a77583dee23c7d6eea1452439c0a8c76b8a68700684cbaf171429357dc84a728dfd739370bcdad0b7355c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
5fddd5247b31a482d5136a78dc4ae400

SHA1
1c9a11abc454b63dd93397c4cf011ba87e9d99a1

SHA256
6c6df5114beb760e3333fc44fd40a3a13b23982cf6296649bf88a5c0f82a4ddf

SHA512
95b15c7e71552daa33ec491d20e28116038eed11ab7b61c875ed2f45a40d10ef0d00b407f188f1a1f78dcb9a2658237d608cb4b6e3e5c945500d8182a223f58c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe
Filesize
1.8MB

MD5
66f33d39e51ac27b42fe4d72459ecba4

SHA1
ee32d43b0e5305967828f23ad3d6fc0c858d066e

SHA256
1676d8fbf1f28357745d5c76f3b975749192cecab2f6aeeb34305132c437cc11

SHA512
ae46597584e56f4d902aeb4454de45fe62e43f4c4c8317b8e4ba27ddf5c7ca94d4c3163a25266fc14bf9a868e5c2020843ce4a4890fa49cf77ddabe50100b915

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.7MB

MD5
27a7853453d418ae8e330b19ebda85e4

SHA1
2c621b002d794143ab41ae8d092dd6bb5772df9b

SHA256
6328dfe194a7218d150db7e7d12e1dd8657cd418232bfc0a5c6a7c1e71f5a07a

SHA512
60585c9b6368a7db094aa9337ec6dacc830b7d54d32a3f288cdf3980042b35ee128bac6dfd9cba593062c9e02db262c92b4387de087e7e065d395f5027476cf7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.4MB

MD5
3a11373e6a317ed20d9ac4d749281d53

SHA1
a2df7030ce335f33bbc1e9bed521e911b8f0de1b

SHA256
460c74d524fb6946b7cdc6c36c761e545391401b7b7f97a4824d0a9684837f9f

SHA512
90a735acccab1be0ee183a98ebef01b4e6ed4317cc5dc941ee089300556c541f48d7b7b119a8bc8e103055ad1ef440e2f5036ebeef627b3e8118ead445632414

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.4MB

MD5
98bf4ce9e65153fe615b41d1576e5caf

SHA1
3d7d5d10feb2c6f1c9ff3d9ee9c1ac95fba73107

SHA256
e3b8a2f99dae2e216bce142a89934b1c58ce67df65dc9a7f0a6c891671e2121b

SHA512
48aa21f925a5b2dd5d2483f058a8640f1753689e8194bc4a787764d6a093105d6e0c98ce71d217279090510a0c6dcbee2ad2b453f1ccc5fa7f277431e4c5c9b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.4MB

MD5
1d2382e16271bae2d1d5efeea0562651

SHA1
1bba1c0438a193da9c66385b573cd7787f3c5d45

SHA256
fa8feee7e846221ea3d53badcb6ab999800507261ba622ab4b3e2d20e6189a8c

SHA512
b5a646b4a9034c3e1cbd7784c1e41de22dd414b261f05a26a1bf61e73972786e6b06c0f2110f7020a838b32d56d49541af82554c0b4f1546d8095596800b33e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
229779b95c94c7f0c79a2837a7030f31

SHA1
3b49b9c207e4dfdbc51182b20a0e24d7801fa333

SHA256
6e769d9cd1307d179b7f6ba6473a77464a3faeefce319af29c284aabe9b0e53d

SHA512
31a546ffbfb0b1fa0d3d7c09660b2772684da07fdfe4fcc3422dca859ebd74b48c7dac3e48381873c9e2fe6ef9bdccca8c67b52cdaa0d746e48f67740c6f57f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.4MB

MD5
0835459a9a4490704035d1a5422cb332

SHA1
3567df7dd35440db2f3f4bcdc1eb5d3b46cb933a

SHA256
0748d619945395d5b7259a14b591b3da844804973402d03c573bffd4c98e3ba7

SHA512
f2702cac509effb1992ea1cb025fe790c1346c79c9a14abefb8e71428526fa20e9892eb6629ef6167eeb92f1d50f0317f519b9910942b9450dcaf9b4ac836cad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.4MB

MD5
6cb32eec18c33f9457ea1b66c2e3747b

SHA1
04032516745893a103e01338378c07fb43d8a9f3

SHA256
76be950176f8367450c6855eca35e84da86e3a125d9c21c9233f63474054a2a3

SHA512
d51af4231fafef7f48a2acf0dc0d02d3bfba5cbf3e2729a8a3eb754d72769ad607b7de355105a96c926f19508a7f1192b7d5d93c047b0e4e0c8058308b025a1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.4MB

MD5
2431cbbdaad13c0336214d57b475533a

SHA1
1137ee69ce4d56a8bca6aa71f8ae0ff6ca8056e6

SHA256
bc2154bd9da8a29ad95091f3285fdae8a7444b3e835135b19f0ee9c9da60e8a8

SHA512
9e164927e6074cde777819cb91eb671ac84087720a0568b6b97fd938c4a761d9fe98cf30dbf4b5fa8b3ef3b83523dafc407e6c9b1b381999f3b696cf1b04c75e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
d9212d8877bdf32065d72895dbd60f21

SHA1
f0650c46d06e4ea5826e69a21008f16431ba1e87

SHA256
c5920fb58924c432f6bb0c777a8c615af98b76877d9913aa4841340d4b8d53d8

SHA512
292027b05eb8a2286bcbe2c5db75debb280053a8f34784f4d6979064ecb3fa4c68516ca56073f5c9ef523af72315ce43a6e6d3e98ac538061e1d6a69a7a17ab2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.4MB

MD5
128f5ea6cbae1c3f616962ea98d0be1d

SHA1
867b5f231169066d7cf57c02a05dcf5ac5fc8f86

SHA256
33cc5e94e5e147d59351b1e2734666d34a8c763be3739014ff476420fefcb41d

SHA512
a833127b300b7db273846611d94362edd984536ce10692574f6d265378a7f9bedbadb9afaf94921c0e4ae163c98186189345ad6dbf9ab09a798a8e1cb2fe4306

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.4MB

MD5
cf39b4e0e053f50bda8c6b5560942e46

SHA1
cc998c432e195483ddcba7184c2914b91a6418c5

SHA256
069364db99717852500448536b488f5601d100296d31519fbac2d8264659039d

SHA512
f38bd3c2922077541868f5644343ecf211100af58dd31bd42c44f0c30a8b32bbb7fba41195a12feec06cff74b110cba53fbff9b35a42a88bf056b94cc547e2cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
8d29019818f74f10950322b196676dcd

SHA1
01026579d380a546be903f9fe93ae8170222f745

SHA256
e90f37fefb5f239104ec5f15f84c1e9badba43347d8923741e35f622812e2c59

SHA512
bc1196c7f2e0dc03fd54f6b02932df00ad99b48d9f914eb6c1e18ffba3ee53e6444e020a457e05ba4b90140e7108788583013daab6aacb5f013d709248fe4b1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.4MB

MD5
9c9e29754e153915c9c66e10f2ace19c

SHA1
17053bfdaaa7814fd151ce76b040a56e8ac6d52c

SHA256
0c26f8e64c579d511db6945677261ada23e9c3b39f6ca0b5a945b74ef6e3c147

SHA512
ff440b62f6c0e8c82938ff3127f586583999f59db62351abf879bea727660fd9ff2c015be7134e6f8bf12b3dfab5e962876f2c39df435fca7f30d717af0b1b8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.4MB

MD5
29b8df30dec3cb6ae5a20497a1aa6dfa

SHA1
2c5bbc8ee228775b665e45ea64cd2a96d2b577b2

SHA256
fb51bb2e9d8e37056441e1133d9f250c90d1bf3a96f738f64624982f89d8d6ba

SHA512
8abd379c1406200929f2da8689a9b29067b0882ee58387b0d733a76d2a41aef73486e51f9643ed0798c12dce2e0eea8d70a9cf56f5a5afaa156cbc281a3c04aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.3MB

MD5
cfad210b77c43ad24821061f41d14b0d

SHA1
0e27f3fd40fe5bad07e65a3bef5dbbeb2beac10f

SHA256
de081954cab678a207938dc72ae4bc6a64b560485835b07a55a14499c9e56d60

SHA512
6197d0ad2ede04bbc58fdd87710903c76f37bf1e8e36985b2a9a381ac1003b0e909abec4c2ca2db03b0a722679f3c17417b3306a9766fc8effe9205b2b6d3e02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
0ab2ba1273be2183e7f7fffe91a5a260

SHA1
4f0eeb50b4eb8d393fcd1c53b0400aa5f6d0ba36

SHA256
8966e50f8132227487a8e3f0878ac4ad991f21fd6b0f92823abc1effe1eddb42

SHA512
d084485f5c94a763a629e3827d3d00dc463a6b553670ea480fa4ec12fa125573d343373f9fe193aecaaf436dde383a08761b0ed94119a5f64f10d26cf3b929b0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
e56c05387c19583d67c0baaacf9a6287

SHA1
94caf762890711337f766ecc10938e024c8ba99a

SHA256
b53874c956c59a4d0365cfbbf8d9f863e4bb68793f9ea2d87d1d675dc772af60

SHA512
32478afa51ac1520d8e5439a242982e6d99670238022de84149f5350e84b06774e2f7b4bf9559a6330c3a0ae8395d0bf82d30a668895da0ed133e8a45be8fac1

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
56fab829ddcfb4b7475bfd14dad2b76a

SHA1
7978af1979da0ca3a7181cad7aa98412dd982f74

SHA256
cfd1e2eff0f5455a144ef2bdbc0c249ed0547b4475f9eacacdc21e78bc885435

SHA512
5984a48b24b2ba6d1e1a2e5424ea388d17367a9906ea5c2978cb7f1d649908919754b669f62ab09da4cd1ee73d69922576a4df24050ed0f0708fbe03c6ece557

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.4MB

MD5
ed6599ca60f6a059d1ce4a0c7fedf34c

SHA1
9a96f509105607caf0a945ae072b91c21f345927

SHA256
92228b94fbb59c762b1cdba8842b1c5ec1febcf38915594a45b0de5cc0c2bb77

SHA512
1c2667e47cd6c9afd6390a1f0a2762b3538ae25a6f943b70846397650d3594f7b433d9452fd3b8d28b01eb4cc8931892e193c0e3cb840a362e112d0b8744ac42

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
f0f0a9508e232c8b5beb48eca9a1e23f

SHA1
ec90056bfd831bbb2604b4e0dd2a0b0a8b0b11ed

SHA256
ebb82577ebb5a765475dbfdb4d4b07e68b14089c0f15749b693e6b508f2f9a5e

SHA512
b5c224a4d2cf60ced75035cb8925f530cef73fd8ad3dc357b9624b6bf96ef6c5d45c9641b14f695f2c33f42e31bbf3e11bee430ab5d0571a650715a3273a742f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
bfc04d6f799f8307b9d85b84733bb7f8

SHA1
d4fc81156063d11db0b4c61415f7393aa214f7d2

SHA256
67206df3fc46ad5f47c788c29d08b0f8ef53afe2fd7c898a8e2a98aee6146fe2

SHA512
dde6ac79475254087dc9cc057d85c53ca73717e4f6bb4cd4594188c54fb5a996fd213f37b9997a85260b603cd06735eb9cfe1b6139bcf84a813525697e06bb32

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
636d0267b50342d0483f92de33b2041b

SHA1
e0a902802e793fb2d57dc0b73e724737a7ba0e03

SHA256
4d7f238239d77d1a4f3bff66b808172b9e4aa3426a5c74f43fce07012b54a240

SHA512
1261a648dd6a4b38572becc0926d529c6132c9e815508b8bbcc98094f343dc9c2847fe83a8fdabac6cb0c6efc3e4942433d22b32b8ad8d199605e6121e647e10

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.4MB

MD5
aaed1b961c47075942ab2e6902c73447

SHA1
9e5c3556f601302429281bca183ea0ea75f231fd

SHA256
bbcd38ac06e466392a40a00ca57abf0f10a46eb46b46b14d76f145735e7804c4

SHA512
c6891b836a3caeab991b4ba348a554a9706a45c9a97de1b1df8f8fd2a566c40ccc9c913ea40c929966e705e716aeb92bc8727fe072a7c60b97c1957c2956b023

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
351ae4e0caf84a9dcc5ad2acf892e042

SHA1
e093f124d41cb9ea6ed452e1f2cd3a8fadfd3148

SHA256
941e60649a3b857f92ae225f8c7f3300cff4e4a9579fc9952708bc78fb4a3095

SHA512
e4d388b8ec3bc3164b02b1ccc367e13d23fcd023b9665901ff55359441e35a215d7c8b355a440f1a00192f274d771962a07c0ae6692c528deef0564f1ff2afaa

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.5MB

MD5
839ffbccdeb39843bb8fa1d4ccd38e93

SHA1
624b30dd8719204e5bb441f0b3cf188c1c177d01

SHA256
ce4ce232e1dd1a0e122a0fe09bd9f2096f4f187e41c0939ac9cc69a83083478e

SHA512
cbed4a2f74e2f17e45cdf06a956ae11710c007dcc60f944b61fae2c6a0e742c60bb1b707de24781ab3f858724cee7a3a15ed7d2e279361f9cc43c9e146b82222

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
7016c7a8958e77c5c9fc1b781bcedfde

SHA1
5b35078b0593cfe4229f609c866d616219eb464a

SHA256
165fe7db8df14fba3dc3bf3cb810b64e9045fdd2f8052facc40dd6b3d737ba5f

SHA512
31587b80cf8b7345df849cb8919ccabd76b8a97598941c08b91b7dfdbd7498e79e1d085749dd2b8060ce5f8faf0a54736d148fac16479e0e125ee616e28114e4

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
e7272bb857cd38849c4aa449dffc28f4

SHA1
6ac6ec6287283c38cf579ddc238b60c600038b79

SHA256
8ff56fa62eee668e78c062caa358b7da1ed08f8e52e74b0dcc0d291846ba405f

SHA512
26dfe280113227c375d16fa52c87bd18384fec61a2d669a84cb0d358d21edb18092a31aca2787f003d726f2272c3f59fd5d278aa55879558f9a7207c0d7404eb

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
65f601b310ff440a06c43d858ad724ce

SHA1
53aa93fa2cea5b83d7a89152d521da0b93527936

SHA256
ef3d0490708f5acce1e67a3f1c65fe55955d9736e3234b9cebca76c74e7c5c4f

SHA512
fbbdb210f7767ec7d99ac34f1e1304f01066809a68be7f9a1fa90d276186debed13e6ffc66037000b6260cba2a5ae7298496577363410aa3bd9b4d5a8e05da88

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.7MB

MD5
e4a8645608944563eee346ab7f0b4578

SHA1
5ea40827c07fb9c0c1372bd501b9a2c238dead44

SHA256
299529289976138b1ad71e8e36552f51592c6a270d3c16721760e72a7244191d

SHA512
0a0eef76f2696bdf97ac2a92ff266d54926bb16ca281d2294712384d4db0effe204f205ccc6f8d4cdaaa7f2da1b92fa2403071ac78b19d4ac5c3d45a2d3dd10d

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
3e27594917768e5eaf8d363478d7cbd5

SHA1
1aae0c11b11ae03c9361473dfdbf3150429a34b5

SHA256
8c2b2bd4d039b7e10a014f363532383fc24ae25097d50a4024b941aef90552bc

SHA512
947a0abc5b0c06384aff3f26290660aa6f24ad1539532a2fe005e90a5870846408b4074605a6aa1c18fe587976c0f45b93242508873ee994dbcd3f212f45f3de

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
aa704e42cf505bf46f7551fff7f27906

SHA1
922502c30434a936b627b0e227f87b4a13bf8886

SHA256
896b82d85281374c116331c3c636f9acbc3ec6f27bd922970c3f9245b2d38d20

SHA512
a2fa6b37711c622c439eabf648661036e0d6964c6bf89ff9aa741faba82610388d1294a049c54f4f96f5ed539729392e30caa2f57e7c13a457c65ec429f94e9e

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
e651e222786dfba11f2ff90a1150ec7f

SHA1
cf260831195a38bcc0a206692d4ffd7f46e4834e

SHA256
e9a3e73fa2f83bb7e156e1cdd7b4020df0a39c300288d0c3c16ff273d6c2cb99

SHA512
a03f0f802178f4032419b5e3a9f13bb587e1cc7bbb3d9173519fe4f933fdec45fa9deb13e1082c0d6c53844118108e79e319da9a1fd7377998660223bf3901c0

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.4MB

MD5
8dcb4036375d53b40fef671669c34f57

SHA1
4470bcf3150e91d3b61c80364024af8825a023e6

SHA256
4be3cf655d344018bc7932ad93a852f217de42eae66dd3c47f5e24cb89942ce1

SHA512
bb3be78338dfe2330a86822ac7e89642b06cc5d703d70dfcf343f26c0495609f7a071ada35eeee2985e5dd5c767be2edc6b5b1a586f174b5f90b7cc8e74bd780

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
eb6a0940e19ac6b785a37f4e1ce30183

SHA1
c6cf4869ee62f501fee3c90c45bf78fe142c5552

SHA256
efd958866263f5baf8e00aa9e204597976195f6fde38de45380f6031bda763ba

SHA512
b351df04e757aa1e6f2406982b9bb78c130eb857fe487a96e4db742cee02c09aadae26ae38ad27f6417ea5afac3d1f0c369a72761d465200b5d99810771c07e4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.6MB

MD5
87cdbfa2f7749543ccd35b0f39ddcaaf

SHA1
4cb4eb173ab66a7af5deab560cde82262f2a428f

SHA256
2db7632430e6b3cafcd7a3a265bf767242e68c16359edef99f048d136a6cf71f

SHA512
44806d4420464c4105f936c64dd2304ad91ed57798d203d6e215e05c774fb8bf9a6381e21132c8090a226fe86d102b89e56635c3cfa4f98342e1b7701b0d4685

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
7b69508d16401232e414789f9fee4094

SHA1
2f9cb6c3ac3d6a84b4336a84d0470837965e97de

SHA256
7eb9e761ddc44e7bd925b43e8f8e42e65d8994d57db337e6055a7c3a6a7a1eeb

SHA512
e037b01f232d30ff9c85c66751ab226a46d0f5a6f344ac4cdc37724eb232ee5a2fdf084e7ff2567b13d8b600b6961f188834b971381e531ac535c602b01194c5

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
2aa8099e184ddf4a9b429f2e050223c7

SHA1
45bfbc953502c63e01d45a52b9980b38d0007722

SHA256
681373c7c2e9c725e81692753b6a974cf50898f0061961fb1e863ab5757e225e

SHA512
358e784c14a3901e71ba19dd51bb16a69eec044702e4dddec16df952a15bd4718ddc108197dd0bdcae4f5d00396bb43ae8a0b1f744d1bab33828271b5a759a0f

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.7MB

MD5
cab6f979f7c5225c06b2603938c248f3

SHA1
9c822c9b822377ec79c5561b45015082aaecbb60

SHA256
127c143b5c2b95d25a8235b842a6e376967661b7d1f181348f218cca82cfab53

SHA512
65d78f46bbbe10d88d86dc0bd27f9f9f74c60da952ccac4e72d69f378481299585d75f8c629082418d765202bc036a57eb8c881d263a77d2b3abdb7c1242effb

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
34fa585f2a9e2847764e1f9aa811466a

SHA1
11b58388d7028925dd8f1514ded30873522d17bb

SHA256
4948a7949a5571479d8c53cdcd698f689831a188b57766822ddc63b30dcba032

SHA512
3d666f991593760553b8cebc1aa5e9e7842c606b833db68c64ac9d2b2e85da9427430885eac306a445eebef667f16e076892e07bbaf07aee40188a97e34fb4bc

Download Submit
memory/528-341-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/528-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/528-658-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/808-155-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/808-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/808-143-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/808-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/808-150-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/888-652-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/888-230-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1068-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1068-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1068-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1068-262-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1368-304-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1368-193-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1556-12-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1556-20-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1556-206-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1556-19-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/1556-18-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1916-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1916-800-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2092-290-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2092-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2256-159-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/2256-277-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2256-158-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3600-8-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/3600-0-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/3600-176-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3600-7-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3600-503-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3604-772-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3604-263-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3800-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3800-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3800-98-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3800-104-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3800-130-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/3828-241-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3828-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3828-123-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3828-117-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3892-799-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3892-337-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3900-274-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3900-773-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3964-775-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3964-301-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4072-292-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4072-179-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4092-796-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4092-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4248-325-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4248-797-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4292-250-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4292-739-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4364-328-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4364-215-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4764-37-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4764-26-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4764-42-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5012-201-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5012-316-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download