06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
Size

1.8MB
MD5

d95c3d8b7d8a22b5a1f0e030299e1086
SHA1

d76886dd9d148a38d370fe729818eb4e689d668f
SHA256

06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e
SHA512

5eee9d320d5e5d22129c6b160f81cba98c4a38f6a3c0f29125db1c120caa203fd4b73d11871801814a7be3e77c4814362cf71a1ba089279bc1f2ef5606ec6f62
SSDEEP

49152:0KJ0WR7AFPyyiSruXKpk3WFDL9zxnSzUlLpjuPA8IOQZc:0KlBAFPydSS6W6X9lnGouPA8IOz

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2880	alg.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
1776	fxssvc.exe
4224	elevation_service.exe
3028	elevation_service.exe
4952	maintenanceservice.exe
4388	msdtc.exe
944	OSE.EXE
4480	PerceptionSimulationService.exe
2884	perfhost.exe
2700	locator.exe
2104	SensorDataService.exe
1716	snmptrap.exe
2748	spectrum.exe
552	ssh-agent.exe
872	TieringEngineService.exe
4036	AgentService.exe
2124	vds.exe
2708	vssvc.exe
2596	wbengine.exe
5156	WmiApSrv.exe
5304	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\System32\vds.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\wbengine.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\msiexec.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\AgentService.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\dllhost.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\spectrum.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5c4eea72c3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\vssvc.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{125326D0-F6C3-409C-BC6D-35A6D8D3AF5D}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF23.tmp\psmachine_64.dll	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF23.tmp\psuser.dll	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF23.tmp\goopdateres_da.dll	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF23.tmp\goopdateres_de.dll	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File created	C:\Program Files (x86)\Google\Temp\GUMEF23.tmp\goopdateres_is.dll	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052fdbbd80ab3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006ff5cfd70ab3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000028b9d4d70ab3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001aa7c1d70ab3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002da3ffd70ab3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070ee4bd80ab3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe
4028	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	228	06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
Token: SeAuditPrivilege	1776	fxssvc.exe
Token: SeRestorePrivilege	872	TieringEngineService.exe
Token: SeManageVolumePrivilege	872	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4036	AgentService.exe
Token: SeBackupPrivilege	2708	vssvc.exe
Token: SeRestorePrivilege	2708	vssvc.exe
Token: SeAuditPrivilege	2708	vssvc.exe
Token: SeBackupPrivilege	2596	wbengine.exe
Token: SeRestorePrivilege	2596	wbengine.exe
Token: SeSecurityPrivilege	2596	wbengine.exe
Token: 33	5304	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5304	SearchIndexer.exe
Token: SeDebugPrivilege	2880	alg.exe
Token: SeDebugPrivilege	2880	alg.exe
Token: SeDebugPrivilege	2880	alg.exe
Token: SeDebugPrivilege	4028	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5304 wrote to memory of 5880	5304	SearchIndexer.exe	126
PID 5304 wrote to memory of 5880	5304	SearchIndexer.exe	126
PID 5304 wrote to memory of 5916	5304	SearchIndexer.exe	127
PID 5304 wrote to memory of 5916	5304	SearchIndexer.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe
"C:\Users\Admin\AppData\Local\Temp\06e10feb2c52673e350ab7dbd70cd7c69c4b8aa3f2e9b0040da72df315154f0e.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:228

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2880

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1216

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1776

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3028

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:944

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2700

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2104

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2168

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8
1⤵
PID:4300

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5304
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5880
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
0d7b433ae52ec3578ca61de99b1491bb

SHA1
904528b3357f1e9e948821a506351c23646b0cc1

SHA256
2aec336fdaeb687a9f5d27aae46fee579b6d82322a12e468f881f0100d4108a8

SHA512
c73dfb4dd4377e3a6d8ea403fa95ded2a433b7c094dc92157e7ae06e94fd5004a63e65c28334b73269aa2da4d2f22d9e68c52ebf81fdab5c6e7577087d458dd4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ebd06bff1688dc52631e508aa6bd032f

SHA1
9c081bc2f0681d78f33c2914e0e778fd0a72b671

SHA256
d1cd9403db02b53a3292d13ec68a1956e072891c6a330df8f0158710fca041a3

SHA512
976d1086ee025b440a85d09d7fa340719ddba0252dc8adbde65d2ae21f9169fa9b560ec22ea75da871c13980ccb39b0cf096f1daa57be599dddc06399a35136a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3dce2aebefc59a0705ab495f04dfee81

SHA1
5424b4943401b2b355aec8ae077101dc63e0254d

SHA256
7cc9d2c36d8c978b8a596c1a1eb1450fa70a7238d6adb54fe162b42457139494

SHA512
497a5aed9217d009cbae41403d827e4b3b0d9e770445b87bbb7c9043f6454bdfaa76ee4047860d7b22313fac5a1bf04d5c8a5585c4f8f48faafe94cee9414dcc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
655b76eed6188556f3440e9996ccc054

SHA1
9fc64bde9267c5edb9eff1814d7e70e383cb4bda

SHA256
419cf1df9962ee1f3ed5429c9e9860791c6ad78975ac40a50221f90b0b770475

SHA512
c096be6c3a804eb456dc1515ae7669b57d497d0089357641c0ba16ea9ba026918f29d036bbc72649e004efe11e791840f26129c58b88e021f0e19ab36b1b9f7e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bfcd87fc9779ca65618c9b007bdaca7e

SHA1
9a3ca5462e6b790b8c39cc791907e0b344102483

SHA256
fa976d99f15a9e92dc7f5573b93cce85c4f5a9dff3432810db60fb0d1406926a

SHA512
796fc18a533fb069ff08744bb8235f5b4719e966dbb74183e522a53b1ece2a3e28f31781b168a6b10e463ba72f084d8ca74f5673a624e4ce356cff11e949c4b0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
38f665492fbb1f79e81b35556b30f9c0

SHA1
9947b0ea8c8054d23de9a45fe9baa47517ac18a6

SHA256
2f5c8ca4885bbbc856eee97d6a48c4af37dacd4016f9905e695c61e3a1d4c7ab

SHA512
641086a5c1660324fc9b301d8de1429f6b16089ea5254231ba23dc6629f0c5c6210078690a1908e630d21a76656835a4c17192559574f683b1431fd1cbf1d3b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
809abe5e70f1aba5105208f0715d8e2d

SHA1
7094110d398414bafac306daf7670f0cbd869e24

SHA256
d92d5d9a598120bfb4cdb3b610ecf930b56692e6411f64cd80a44a586d789530

SHA512
006db2f306b9723bb90a413fe573e8f2a89fa60fc516ba5b1e50221aa27a6b36d50beb90f020047d66a098fea9663a2ac5cb4e1f8640f19a48c4cbb78f516df9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9104b079f109d7647d78b9a121f834a0

SHA1
c00cbd85f90576e41dd3ead7cd1ad2a16f27dd8e

SHA256
0af86be6c602d0eb0b9e32c1c5284638b861e5e868006f905d3115d248ec2d96

SHA512
0121456c076775d66e9cf2ce4a26568bd70d6401c22d37aa67e225e2ae5bae901ae193b4db40e568a972b67f8ae1690c4c6f64848aa634d2c21ccee2cbf03686

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
3ae688314ea8786f33b7f070e2aae200

SHA1
3985a14127ec6fd088668f832ab01c11c6c11816

SHA256
daff49c10c5b1bd64cec64a624dd44d3a7f48fef28287cb759b33997f2d13d28

SHA512
06916844b310a9a4bc34ea688cde7ba3c857c5c734e320a1545ce78c27f8a18312837b9ec838435d667a9d97d0fef1e82a2d0f78cbaf99ae0016d98683e8a265

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1aea679a7c8c806216c04d1bc0779793

SHA1
6311afae4f5ae8a67a307ef214cef1f7f1aea4dc

SHA256
fb0c343cbe3f6045026d844edb240061737d705336aaa9fd8ba60f68dc1cdcfe

SHA512
5fa9c72804d80084411cccbb0d8877be243a94988a1e133ee61d250b03c896f3479ed4537ed5a31d695be04a4a5ac57a743ddad4a80924ec5d65ab70ff0ee2a4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e19a0a3a12d83fe4a53b58a9df35e70b

SHA1
02c027bfca67c0c82f952ca7293704b46c03641e

SHA256
036f16bf46c21f5b1fe15f2516e987c2a7830fd4e58871e62ddea2ef29991d7b

SHA512
d83134d5524022ff849bed5fc612b9165578764225a532d3a0c47f9f32e2eb76222b20252606c8c9973ee3dcf98c9d00bdb53174c3447d14fecfc51d862eb87f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ef9f56b16ab7eb013b4c4a8edfdda3a9

SHA1
9b1e4a9760046101d490c427151eed24cb7e72f9

SHA256
29d835764664003761a25dc3906d17e4c4c94ccf5375e84ff5a7bb36321ab656

SHA512
0c932a6fd413b50a9104dfe949991be8da3c09897e8a07edfa621923c007f86e41b6219962aeef25ad274d312408bab88d28ea336923a5fd1a32cd9b17eb9c1a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3bfd6ee11a924875451c50f4ace15379

SHA1
56be4e4fd343d81055f91311a185a723dc33ef3d

SHA256
772e749791ae8fcc7e4170ed3c090a61e675b2a31968407f595c5c505ccbf170

SHA512
726d6ea63a4176393f2cb342ce70292a4fe2f122a3450317120f386e2eb436bd61e5eb5896dad37bcb5af136d3cb66075a63e292b63b4e0b5b6e500019254d81

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
46dee4f02a7072ba359302c9e6f8bcb5

SHA1
2eea289ef670555a1b88cd61fe54b6a01d74aa51

SHA256
cfc2b791e9ff9dde99c2b75e9505fd9c3bccbb92c107e858e676c026e66f5138

SHA512
96f4fcf938e9b8d904d85be3773bf084511b1b4ee493147a52ccdc893933e03a83d719ae3b01f82ba96d1cd25e5aac04bd24edefb785324a68e67935b1f391c6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
495c25fefab7645b7e78c5e3062698db

SHA1
f469a752758e567b96e36b66594547ed3681f280

SHA256
347f65be9c19be1273ace371e4269fc9cd3e3f5505463694fa36faa946e3ed4c

SHA512
c9a6f432bc748aaa4f70a271b860e0309d7863fa0b97f4d1f3981c952a0cad0366f9fd00b679d5aef30bae843bb56b7bdbb9c2a0b338c44f340acea19cd495ac

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
317346d79e8de8b13c3c0e1bd9e182de

SHA1
768c8573874c60a6e3ba5c56c0f6d847f00cd544

SHA256
bf7b3a91ad8c7ea16628fd6d878e9212c15804195d07c1c0d3fd178a5a1f9a64

SHA512
bacaf1ced03769cee6c710366565ac2a9cd94cf53013680e7d01a7d17b5abcb1919fa1215a82afa34328a481e516af885640ed15691754bfefc5b8d096d9f096

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
bfecb64fba9cc1d3141e891b3e0c045f

SHA1
6682113cd86c180061aafca82c3e48425beab90e

SHA256
2789882bb9a81af07d3fff2117f99703e917f2ce0f6c87176cf26edffefe9abc

SHA512
216291064b207486efc12b1ca3a4872974d5e8b37da371248e119e725128f7f9ab1750d4447a48fa2a4d3a622d0ef2481ba8529640f53b30530b5c839b3cb1a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7a2e68c6d37243cd8c59d038606e294a

SHA1
2eb48ae0c809d5910c319966afcfb656bc35273f

SHA256
14f33fb66701ecf90672b5876b46eb24dbd9e7407db07631840ea681c481c667

SHA512
5b956041e8c5c6370dd464a3f69a4a28211da148f9806e3804ff75a48ed66d1d41be3794c7f3e84c10a21dd81fb66fc635789ca3900eed0a584bde73ace578f5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0dbee41efec520008cb6db2de60d4393

SHA1
7cdd4be6cc0281690de981696efe9491fe75e063

SHA256
e4c42df4910c62e86b137639dea4c3c8bb513381a849fef07be4a1c77df7eab8

SHA512
d3b291d5a8dac7d8accf59ab99da321f57efa2489123f92d632b0903eed7d43277dd7dd44de5e112eb2dd39b24b7d416e57a5a9a6cf0eb9615bbe2bd77138f9e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
51ec84413ec27e37300371124bb5d4d5

SHA1
6d448ece582b29154a6e08d0d5a79556287abaf4

SHA256
d6bf1fcafc0e4c3474ddcd1297d77f030252f71a79d475a37ad743e2ecf9df48

SHA512
ede429b4101fedb5be7d127fdaaa4f46a2de56e19e9065e69378a6a634abc37d269260a295abd6853e435b4995e78580758375019ce75370b4d1051c80c263f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
ddc5f872d8a1a676535141e59db418fa

SHA1
81638ea97a20a3d73366487745ebf89da543426c

SHA256
560ada8226bc938f894430f1e2714528d5158d7279e6e37879e54ba5a375453d

SHA512
f09e06266322d3db86111b762966f2cdf44b2293b109b2e39283975ca51076fed61dc5f638e6dcdca964bc6ed757c6f96495355e9bfc5fe97cb612296de3ece0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
590040187736d2f18ca04e89aed65691

SHA1
bac0380bf127e90cbfc0bd4b0996188d3558c24f

SHA256
a23214a39b64741d55a0405a4abb3e7b37c7dcf4ced8bcb4b54ca641c37ff23d

SHA512
3634989837fbd742499ca30ef672309c7533e17337de77e520737bea8a18f126b365b5faeb45c3c49dfe564a2a9d207413d2096ba27d02f1e71b21d4ca90ad41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
f4af95684e9f408756739edf8cceb805

SHA1
5a44aa4a06eb736c51316a42b4edd5ff9a6ff008

SHA256
4b9828a6aff39045159a62323e4f8b8a2b2ae3e786d29ecd64f554e59d6bcd5b

SHA512
243859185b9feb4b0a01b6412fa13cb5beaf4ef70594920344d9a3bea2019231e5ff1ac8fff94ecaea8c2894feb86c3d10006aa01b162bfc768522c6ba6118c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
8e15db5ac4b8d124427a1f02b729ee1e

SHA1
a0d674e44caa78ab75b144084e48c7f3085e0e06

SHA256
b6f2e7f0a40398b624d6d8638f4c5521bb96dd57df821bd93b8c3ec08d13e93d

SHA512
daac9bfab5557f52ae549008cb43cc1f999f25a7f31d790bf006ecbba77ea71c88b2a2aa5990485494e09f9f6304b7f2c5ee47e299253759dc5bb2000bf9d68a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
8d05bb0e55f295cec1942d341544c976

SHA1
912faf1ce0a9b7239d3c3ff1555dcbbfa2e97c5f

SHA256
63116777334be89f62c21bdb53e68b762f1234084662a530a0971bf731276597

SHA512
05b3324e731908aef023d0e40569b60749dcc8224ef4851fd791d71828b9268a4d712c0233333cfa25c33adc538482da5c92eee28ae04ee701b6c840bb47902c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
001f96a40bf07d5c4cd8dea82977fb5f

SHA1
375a6553d7a0cef5a0d93561162b7192bb6a44ab

SHA256
c5e391d05dff8dfdbf40c000cbeace626875f70f3c5e3809a1ae2297601e3f94

SHA512
81eb7b795d74807fd3693d3a2969532f09d6c0c7d3a4ed256c4f79b3f2851d8a04c3fd4046fd3eb1d9d09c6c02c9c2a9049da2d1ccd4c4f289fa435fc827a7da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
902edf9126a5d3324463234b8d8e3053

SHA1
f1c130f513da06e93914adc44392ad6c6b5131ac

SHA256
dcbc21ef5535915ad0a30ad0c0f81bd7618239583f57da7fce8c63e8e3d8b606

SHA512
ebd53fe60484dd0d1c3580de32760f90b75a0825b0a583e11fc196e6ef951b84c1d93707e6296ed28d0b7421f66ee3540287c4ea68052c81e504b5c941125907

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c0109b0c745cb21f6913b825eee0208d

SHA1
fe250ed253bfcf5b7d25194b326dec6c07fd910f

SHA256
785639006205e910483c0e3be4c2d5a6792eb1ead037fe9afaed67fb080086db

SHA512
4a60e3d95c2314aa49b3fee7a196f790ed43c130f2ec4adae171b5d940585b51ac8a3ecc6bd969c54fa9e4c925899425db63a18a549c334835369099837d6429

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
807ac61a6a0daa8fd059c51b93a967ff

SHA1
482e0e2d1a40e71cf1bd814442f9f450f915e51f

SHA256
8b6f9534c6dd70f1a94326929ec8b6caf778f004489ea958a87f44bda4fd01f3

SHA512
2fff04bfb4087de1d690ae450e6dfd5a269acd8c4818a56def4c8e479a5c20f7f2dd32f156e3b1d42cb2bb5b8e52e19313891390949e0157d728ed5cc6659a00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
4e63a3bff4f7c475f36d5997b8c71eb1

SHA1
3df360b79344f58046c2a2c86822a9f951fe9598

SHA256
b8c90cebcc9e3c28e200b58192a3ec176ba199f185a8baf7f7433727686a7a00

SHA512
03f34a707b1b6be668013267016c89dc9519b6d168d3475de4b5836a443faed4c69cc8b9402f8ce1aa913a394eeb9e7a9f4e223d2292c6d959523e1eabdcbdf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
10aa70bdad9abd1013186f87ad2e0599

SHA1
08157762eafc4dfd0b4c42ef9e9360045d944b75

SHA256
a7ab8e1af1e9770fb1b5a2e5acf60f5031b91fbabbf6d9a2f1ed70270d7dad37

SHA512
af163a47a726d39d406af63b3471a263decb893bb4e29fe10bd8d8a341bc025bc47691e5f05c0c02e69a33ea25a8576277ef0b47c7edf4ba7485213dccdbc058

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
92ff2fd9e43263e349cb4fdfcdbcdfc9

SHA1
b1a5356b4f35847968cfcb693ee9f911b0b0d250

SHA256
8b8a5094427728cb11d9cd432825f09e810291a06987737911447d3b917d3ec6

SHA512
51b6f0069a9606eb8db748b47c8f8fefbbf807e7927320bb46160355fcf00df630065aef1c3524562d9ef62f1716ef7935565d76440bc33f9b5ea78cc866eed6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
db5a8bf7c095e1bf4967e0d8d4e382d9

SHA1
3da74c35330350d92d784bc541e5c35f2b72ccef

SHA256
83799e725a3741170301f4a09a5c3c5ecd52863f64e9e3f00125a3a3c4cf2cab

SHA512
b84e420e75762f3efddde3b6d11beaddb19feca323179c206493a15b38561b4c95f978623621ca546e2e1cf684f4b924a676904645c34d1f2c15639b45a26ada

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
aca6409c874d883aa346896fd78b0f7f

SHA1
35ea70fada60002fb9b64f21eab7e155b3233c39

SHA256
2479f80a48281cab918e424a0e5898ac0b607d7c54b257d20bb74405e0f1b682

SHA512
5f2f5aaf0dd24feeb517812230f1e90df8a97ff526db7b8845b99598efff620397f19d332bc2c520e20edb1ed8ee9a2d0c9f285b5c18a0b5e003e95e506dc83e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
11e0fce00f77b38e5a14fd7d29ec5446

SHA1
fd71729e93a0794b10eb2e652831651b1be6b6fa

SHA256
b5ced3642a43173f64734d54cde580ceb0adec2185b75ba3b1b96d846f8cb4b5

SHA512
c9452c23030688461a0f26959bf3015412f5edc9a5d567b08a47c6bb057ddd0027abcd1782dc55d55b5d6878b690f96a1378ded6dd1ecc56e8282c45d0bc6f33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
5e7aecf92065540ca23695f2bc1de25e

SHA1
e0c5b286196e7905ed144ac5656e857996002d23

SHA256
8afb36ae0e82ed4d623906ee1fe54e62ed93a0a165c35d017354126d5750241f

SHA512
909c6dc025e8fdab5edf580d2021f2eb33a59af02a1aae00106e476549c80405c5998cf834bc5bdab0063dbb8298e8a9e64326f0c20176870b16ea7496a11ccc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b770536ee911ef575e0e3176e2b5cf34

SHA1
f45dd7263bfa3bdf26cbf87f6f59e73696fc613f

SHA256
2518bb500c283a99382440ffed6069c9a3444960398ab5eb6c17824a2333d59f

SHA512
a897039f2d5dce3d2279a0a8a9598f7db2955b1d348dc232ead48d4ea596611a9eea474e6cf19598ee809eaa9baef7f094e04d71c452fa51dcc11dccab58fa87

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5b9bec0b35865f9d5a4aff2f1a95573f

SHA1
9849c3e3b040edfbf587557286690428cb462484

SHA256
573de99be0ea045af8ce9d7283eb0cbe36e2ce6d0f0e6a5d3796877794b5bcb0

SHA512
cc943116459a2a2af3b23767ebf788fc40eeeef1fc8df082a26d1d3ad50ff4d1052824d0ee9123fad894b6bd26474722cdbc8b7568b092c7b15cff9c0640877b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
da07daa848f31cefa173629eb43e9860

SHA1
a76b8b2598f2b079ff767a1b880438c0479b807b

SHA256
a48584703cf3e7d3f0d8afb18e8cb77d4e4bf16f8a9ad802f889a38663219a69

SHA512
2022a92bd01aa95894597d853a907417cdbf88f01c982b17119ea22bac387e9bd879dc06f99dbfc8647ab9f2914f267eb2289a7679aaf785cd531cf4d31c4087

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3b09b729bd2635683916748d8076992c

SHA1
6fb1c48a749f537a383b8f75bb940129a3c8aca2

SHA256
c86f6f9ce3b0592b3a913eb27277f82412c2dae9e8250f16d193bad0fa50769b

SHA512
f57ecd8029b8a6188f0e757f720895743ae0a6b0d64304deec81e962ecc8d7a85c5283bfd9b6609791e98d2f72c33baf949fc358eff0c34c9e9fde941f4ce944

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
34249aec87808c51ef50300cc569475e

SHA1
a2f539fe1b367f82ec077bfb7952397e3a17c6dc

SHA256
a0b93b2cbd849edd5ba266a6ab8e7a40fde2f287beb4ceb4aba42088ba3daf17

SHA512
44c8f8e66a05ebd96462f5055658c795a5b7f79fc5d87b9cce0fafe18aae0bf8dc441b91601917355bccbfa85c958f31b9fe973ce8b07bae8326b8377f8cddb8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1c98533eebb9da66accfc186852d0595

SHA1
6fa4a5c26b8921ad373ec5952647fe4b5f6d47ae

SHA256
2c4abdc8997d31ce8093c8dace4d1716a7aa6be0a68f3eeded4f6e67d4aa5a26

SHA512
d79be22737de4cdbd16f3d63729259cba3930e076cbea98de8934231f22fa4b6a57fbc50cda039c0940c19f30673766d7423593af7b601837248cd830a9ad421

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
3dd109681d65dd9b0803026f5b30dfa6

SHA1
42e905af8512b833b6826b045cc5e47f44c9a8bb

SHA256
e1e6b33af6e61bbf44c8fc8a774f8fdf3c538766ffd174cd5537c6c22a21b477

SHA512
f1a809df19bd5ee34a55651f68e65969775f97e490146af552bc0b0b212a00e72297e6261df4bb3cfa32a9aa575de5b98b0a8e7efa5bef566629f9fd46efde12

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cb682977f2f26267a591877f2329c4a7

SHA1
41a63df9c673ea4e8a09c1c48d6471ebf89f78fa

SHA256
399d7e355508daa8dc8c463d5ffed417a8cfeb2d9d70df6f59b11ae29b66f1e4

SHA512
e908ef8d7aa6f51c4c6b0f81f2e8e6bd3515da8ece82bc3bbab74229ce950d5e1b9cbf4ebfe0719c46b502ab820b10a4a2ffcaf720dc46b2b249e4c4da24788a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
aeb05efa95115a9e6503cc0b2ed7bc12

SHA1
c0cc19d9e4ba7bea2f933da8900dd4f5dae8fe4f

SHA256
81a016ae2d6f67da80ce38568a7944b192fc68cf69799a593bb16ccd61e474d5

SHA512
1aa86cf0e67c9db2e06f0bcd83851c99ca96dfc4315fd207cd57787d10e54b6031cedf307da567a36d3330b502d903735d5a10f67da173fa5b926dfc0b8a4d82

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3cc567510b6085592d84f720ccfaed37

SHA1
01294402c38995509cbfda0876a135b3e88a5f1a

SHA256
80688be69e017f8a78bf0c7d7385bbf016f49d2852365ad7b61297efee7475a5

SHA512
1b6e152084646927d8e37d20cd90474178949aaa99bbe4b9d4eaf2da3a80476fd9f35e9bafaba89d94fb21283aa4f78fbf19d4f0f66c085c17e217d09a5d80e2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d8c5d7c2f30229e2f3aa79c5863a8fcd

SHA1
71e52c0ea2a6f84cc9ac79603ff1c12b7d6766c2

SHA256
426cfb767d01be4d0c18b8a165e2de82da1833de7dda56d1a977b7a3d17a4ad5

SHA512
fad5f7bc7cac6b9ffc85ed5c20fec2f35ce86eacca031a2a8864f99560645be2bbee53307c98c023cdd90625b922619074b4627e6f8e6c877947a68dc6d44312

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f9e2d0d9565776ca854119a0ba85401b

SHA1
61155fc74439e466297b2d64f53d4eb6196710bd

SHA256
79b7218e979783e1e1659ed97267d50024f5582bfaedaf6c62fa93ab2e21db1f

SHA512
8e90cf348c7af0ca1a4055c26f009154555b6315d3c429276b2c31485e37df2ffa674a9b01eaa4e275e55e599edc5dd2124d714b37264b08162b8735325c908b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3e242ad5940d19032cf7b3d3acb11621

SHA1
a561e5625edca226b70334929bc65424628e1e2a

SHA256
433c26de9c88a80e6af8dc244f41419edb87188a2a15f0efc24833b37655e625

SHA512
a8539ab3996d1e866f009452e855166559ce848320417efe02891cb356558d6aff58020f7cfeb0985b10d4675a3f8ec08f35f2b32c41ab4b893a79c5dcdd5717

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a4557dacb6c8e6eaff5a7809ada11506

SHA1
80e6570e9d825f5ab6f42916a2fc2c0838d9ecf4

SHA256
06792fc0b9863940b516303aaa4c3048ed153c22bf334e164304a11f895bad0c

SHA512
225ce30c72a2f5ae9a477c1b36b53183fa7a3f235d47dca1b77f62c7a74135d1eb069916a039ea0d7eeb441120e4a3677e5b963daa4fbd5925d9723c18f3a103

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3596a46592438d5af75651095f1dd816

SHA1
dbdd16ad46681be4824d7a88ab8b722e32ee764d

SHA256
fcdc429a50613cfaea184b32cacce26027ede3832348f22971ed3b470c717376

SHA512
49d864fd948de79aeb9fbc4e596693a6d9aadd1eaa7579dab985dacd49b933b3e7fa9b4140856e89a33cf681b3f49b1c727514c5c5b2fe655fca87d7431ef019

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
9aef6d631346398d51e250ff1ed23cbd

SHA1
d53ab40a6abbb39de329f045ef6794a7b1eb7117

SHA256
ca9d8eba75768adf93490615826e75748541aa0fda570b57317918bcceb120d3

SHA512
44db14a6e960b0c91c0bb9047a62818a3dcd1fa9954883d0687b858ec82f2104c0d9c8999455a234cb9ee9c31b022b094a3efd97981dff3f18029eec82a65864

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
219c03f43f8b9184cc7cf857b07dc89d

SHA1
e715bccbfd4d485a6c235b0dc7f088f6a6bd6d7f

SHA256
701a6e7db035b3e091dd166732d8f62cf6e21ed1133298a021be4c375b48fea6

SHA512
d82ec7883acd7a52fc2baa40e6121875cf4a8c2a5fca4aceb4cb2f2ace9a134595ed739d7bd0201ff0afc20217f6993f6ae5a21190befadd9535050ef70ca2b4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cc55500c0a36a67d6a4f10f1152ba30b

SHA1
7804c5749ffd84e0f3b284c333e43626def2db24

SHA256
d99941651a3fd2025ef35f114150923641804e92d8ef8304e13f35b168e146d0

SHA512
c62dfbea35fc36eb8d442d6e1741897896a1713ac66984edc72d0e16e53a7e2dba91fc920108169f18fc5703d0407a1bcc02e5deb67526a34362d0467e9f5b10

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
5893a407334131ad562727f4b849ba6c

SHA1
713ce39a12d5938b92e48a252c81c926ff37385f

SHA256
1df75b0bb70e52887d338a65012833fa33c205e33860f8b30c4bfb11c58fa093

SHA512
f6108255606d54065db9e7a511d83a4da9039b3e214bdbba8f12932028683bba50382a43aa848ddc88b2c4570da7b92df5053a862b4ae866adc57131604a233e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8291caead00f1fe707f8631182265b8b

SHA1
886b1b5881778cd1f6e060c2b7c0485fa3ea855f

SHA256
c9cb97fb19a531c1e35eb2104117ca01139e61e5b3631f49b6f0707cdcc31f1c

SHA512
3ba92f716df6bbe19af6a97722a172a76e455eebc3bafb38eb1a9239906e146846d1d66243a773fc2421ac18c522b3238c8c218786e706a6a663588e46f60c43

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fd019591055b3b489328a2e77eb7c480

SHA1
2a04f8ce03ecd0e9b06c29b179094cda907723f4

SHA256
908296ae5042ee4a595d904e65821bf6a97c6b8d22cdbee35e4e6c927e14931d

SHA512
77458c92f54f14120929a44b2a23cbe51a0a50858b2a9d94b9ddad4d39b259d2b28eafb0c86822d4a378a0a1cdb6c39c1c00762bc1817e95dda00dc3c67c3eb3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3043729c3605d51ecd31e9936e2d92c6

SHA1
81d32983589e5b2c6239f5f67000d79dab53fc08

SHA256
31f7af919cba65b1fb452260d53e565bc3a80bdd250e2b24bacad1de66cc7f1f

SHA512
5b138c81ded151129974af8a25c2bd5623eb389de5f0184f91de4e02688da74eeed678ae5ffc2562ebe269c62cef3e66c54efc5078c52dddffa531110e094416

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
fd5c44a7aa0d9cb1778fdee0cdeeb65c

SHA1
ea0acc58dc8378710d40e78a8c6955d50aa89ce0

SHA256
d04dae3ede9d08b1d3ac179f54b007f2f8188de71f838c95cc25de8d337a2d82

SHA512
f9f802fa09bc6a23cf462eb21d30c47f3df2afa02872b4c2529e94e55e3e38d16812ed271585d704c448127ffb25a95aa0e64d138bd869a6fde7e9464f6668a9

Download Submit
memory/228-485-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/228-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/228-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/228-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/228-182-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/552-255-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/552-765-0x0000000140000000-0x00000001401A1000-memory.dmp

Filesize
1.6MB

Download
memory/872-258-0x0000000140000000-0x0000000140181000-memory.dmp

Filesize
1.5MB

Download
memory/872-766-0x0000000140000000-0x0000000140181000-memory.dmp

Filesize
1.5MB

Download
memory/944-284-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/944-179-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/1716-230-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1716-686-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1776-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1776-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1776-120-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1776-105-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/1776-111-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2104-333-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2104-729-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2104-210-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2124-767-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2124-293-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2596-771-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2596-309-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2700-320-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2700-206-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/2708-305-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2708-768-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2748-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2748-761-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2880-21-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2880-205-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2880-11-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2880-20-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2884-194-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2884-308-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/3028-136-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3028-246-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/3028-137-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/3028-131-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4028-99-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/4028-100-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4028-94-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4028-101-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4028-209-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/4036-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4036-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4224-233-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4224-116-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4224-127-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4224-121-0x0000000000920000-0x0000000000980000-memory.dmp

Filesize
384KB

Download
memory/4388-269-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4388-156-0x0000000140000000-0x0000000140158000-memory.dmp

Filesize
1.3MB

Download
memory/4388-157-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4480-189-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4480-304-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/4952-153-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/4952-151-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4952-141-0x0000000140000000-0x000000014016E000-memory.dmp

Filesize
1.4MB

Download
memory/4952-148-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4952-142-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5156-772-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/5156-321-0x0000000140000000-0x0000000140165000-memory.dmp

Filesize
1.4MB

Download
memory/5304-773-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5304-342-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download