ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
Size

1.8MB
MD5

3429e6657b2a92cf12eeaf6000e6cd3a
SHA1

8d68361e084cacfb89aef70910ee570f73a8d3bb
SHA256

ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400
SHA512

ffb075a054a908b45d6907fabfb189cd80ed0f9da06cc2fe5f17f563168ea64aa7732b4622cb735dedf6f619673c06b71f75fbaabb46edd8941d153476be0c01
SSDEEP

49152:Ux5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAHaB0zj0yjoB2:UvbjVkjjCAzJHB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
3624	alg.exe
2816	DiagnosticsHub.StandardCollector.Service.exe
2996	fxssvc.exe
3744	elevation_service.exe
1100	elevation_service.exe
1992	maintenanceservice.exe
3768	msdtc.exe
860	OSE.EXE
3772	PerceptionSimulationService.exe
4140	perfhost.exe
2584	locator.exe
5112	SensorDataService.exe
3840	snmptrap.exe
4644	spectrum.exe
3956	ssh-agent.exe
4924	TieringEngineService.exe
4440	AgentService.exe
2220	vds.exe
1944	vssvc.exe
1528	wbengine.exe
2312	WmiApSrv.exe
2352	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exeDiagnosticsHub.StandardCollector.Service.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\locator.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e13d2618234f82a5.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\System32\vds.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exemaintenanceservice.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_bn.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_ca.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_te.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_mr.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_pt-BR.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_cs.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_ja.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_zh-TW.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_hi.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\goopdateres_ko.dll	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3691.tmp\GoogleUpdateOnDemand.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe

Drops file in Windows directory 4 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exeec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchFilterHost.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d246b0a2b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000209d230a2b99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000037a7f00a2b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fea3e5112b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc72790a2b99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f377e0a2b99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
2816	DiagnosticsHub.StandardCollector.Service.exe
2816	DiagnosticsHub.StandardCollector.Service.exe
2816	DiagnosticsHub.StandardCollector.Service.exe
2816	DiagnosticsHub.StandardCollector.Service.exe
2816	DiagnosticsHub.StandardCollector.Service.exe
2816	DiagnosticsHub.StandardCollector.Service.exe
2816	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4632	ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
Token: SeAuditPrivilege	2996	fxssvc.exe
Token: SeRestorePrivilege	4924	TieringEngineService.exe
Token: SeManageVolumePrivilege	4924	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4440	AgentService.exe
Token: SeBackupPrivilege	1944	vssvc.exe
Token: SeRestorePrivilege	1944	vssvc.exe
Token: SeAuditPrivilege	1944	vssvc.exe
Token: SeBackupPrivilege	1528	wbengine.exe
Token: SeRestorePrivilege	1528	wbengine.exe
Token: SeSecurityPrivilege	1528	wbengine.exe
Token: 33	2352	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2352	SearchIndexer.exe
Token: SeDebugPrivilege	3624	alg.exe
Token: SeDebugPrivilege	3624	alg.exe
Token: SeDebugPrivilege	3624	alg.exe
Token: SeDebugPrivilege	2816	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 2352 wrote to memory of 2396	2352	SearchIndexer.exe	SearchProtocolHost.exe
PID 2352 wrote to memory of 2396	2352	SearchIndexer.exe	SearchProtocolHost.exe
PID 2352 wrote to memory of 3552	2352	SearchIndexer.exe	SearchFilterHost.exe
PID 2352 wrote to memory of 3552	2352	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe
"C:\Users\Admin\AppData\Local\Temp\ec8ea5a8921025a699980ce03bd4db87c1fc869c9a42265912cfad4400221400.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1384

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3768

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2584

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3840

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3780

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2312

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:2396

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:3552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
472f6c4fccf7ac665a6a018672a33677

SHA1
84eae124b5993cee03f475a0b70671a923cfa9dc

SHA256
61b9bdf8454d13626e5e3bf4ad0b8f4dbb85fd0c54c4d6e7353784e619038f3c

SHA512
aa7b2a23d2ea3eee3e48dc68dd86280a25a11ec545eb3b020fef5dc6036472e6107c6962a7be818778251d7226206a88fc883c3eea9e47f39faf30bbe65b2321

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
dbda79c37ac3b68403e313590482a99a

SHA1
2bcd0f71bc3ad4b84700776488a7dad1ef490e1a

SHA256
3c34b10dfef8e016695b1b26f4c3480ce700f7f9ddefcc50c21c21ab2b7d1639

SHA512
3d7c910e2b833b979837baed18b8feacab2d193f9d5f0d91efb7981d5622b5395a2ab77a7ac315536d91407fe724cd9264f940d77e54848b36f3757407d2cf42

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
2.0MB

MD5
89596d6aebe6e102a332b179a8924173

SHA1
d4f9b67effcf7ab774384bb50adb9d8f0dc0cce6

SHA256
26bf816fe95b6f0d49a1ed22bd6420b220c1a34b5a841736708fe5c1f637ad2f

SHA512
52ef67d7617f7a47de4f09508446148573119a55f202128c887a7f0ca88342978c949a0e2c978afcba525ea61a1042b227f316328168f96fd99e754863f32df9

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
823d8768ea0778f9feec953238839ad1

SHA1
5219be5de970f390f50eeffede02ad07f6824d58

SHA256
38d8f12da7cb0fad988f89ea91b5776cb62f9d5e98be09ea00108a17ad2991f9

SHA512
b23708f0590e9d130249bec1002a29be68db0c9a5517f7d33a58ff4376d545cb45aa2ae56486a783697de538a20ac09353ca6d67e97ff0caaab3dc575623c78b

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
a1c9e0c7a2d1260c70498de8a556d97f

SHA1
c7a96d352a0d2d61f3ceea8f77a79b79cb5876b3

SHA256
e2f87ba452c30838eb64142b4e758e74e50a53bb9c7b08f7afc84f362084f1b6

SHA512
26d647b8af9b2dfa139ebc8825a2d5ed37ce5865e2ae80d81f1e48a617ae412d0201620f51e2872df52ccaa2e56331e6633a3659c34626b143d277e53f5d0d76

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
1.5MB

MD5
97cde740548ac32a5901e42d373e8740

SHA1
4e1c7e9297d23e077cb2cc174a7d9c9e9594a370

SHA256
267df78e84f773dbe400a0afd57e0bb7cab48d5957e0cade560e91ac445be80a

SHA512
0cf6c9db0ffdd66e76e91ed1e1174b474a0854af39fefe53e58499ad6a1c44893ee0259cdc3e87421f5bb45e6ad5766c3c2df2c3ca95ec56276fd9e8151a7bbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
1.7MB

MD5
af45e426a42092724a52ee54769f0d46

SHA1
fc8c3e5c8b4a72d9bc4624aef6083edaf8fc63d0

SHA256
7479bd8cbbfe830cac365a6c57bfe4b2a4ba391337f608f757dbdba9114bd74b

SHA512
d1724ddb00383eb5dece63717b2c88c9fe2d82f8e456b590fbfe3bd62314090f1fd5246079d89af80150adc863cc3d0c899b6d83dc10abfceb065441723bb0d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
08240138162528dc55b17c48b0f8d736

SHA1
e26d012a37e9c67d583a38876796411f50731bc6

SHA256
f0b057cf79648c1385057f62d4f287b07d6375d680f8941b369a81cf38f1389d

SHA512
72d54cf37cb6b8927c66bf06bfd89e26ea713b606b1203bbfa485f96cbfc8a0a5cda48d6a9a506f3214039c3384f146e8f73d75541723fefe8b0e455394ed0df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
1.8MB

MD5
aeabebffe183b8e39ec4f98aa599b55b

SHA1
a655454fd54de58d3bfb3191d93551d8c87f1e4f

SHA256
59ecfae6b9ccdf5029d134d5a5e1a5f51f18d62cddaf126b5ed8ecf81af6b0d0

SHA512
bba8b50e67ce21bbaccf7f5af7a87f3234cc70f76fd3d99bcf79f99f3264108ff8d740a3d766f53b8d2682b00bae2082382e842526ac025a1cace22a3c65ef09

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
15132751f83b7ef59d21f3bc550e0ab6

SHA1
c52d8f4fcda2bb60ccd39e6dbfc180c65b1895af

SHA256
88c3232713609ec757d3720f5812e9dac9d29811aa4dde97c67f2ae93cd8b46f

SHA512
607870ca75299405f0679d8b117823732572ed50163847d3ce7e6a00d511da8cf6dffb0b04a68d5f8f058b9557ff4a00ca5d84bd218569fb3dff4dc88fed2532

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
bf90e2d12a954a411e88c51751102888

SHA1
f499ce252eb4a32d0e96ca61c12d1631b0560636

SHA256
fe05642fca5bafe582d492bdbad0ee49f3e981e8ae3ae9d06c4219127503e8f8

SHA512
96129bae8c0fb872ea539147cce7ced6a4dd76f32f83ed76c670525b5edaec03f81908fcaad78767abade18c7ec28feffbd6e7829d24c1218441510f722403b4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
9cdfb66caa0d24118b58525c704d01c5

SHA1
93479608078088423ef788e35bc57a08785c0bfe

SHA256
24e301cd036a9103388dbfe5aca35c541e6421a99b12459cead8fdbc7b65156a

SHA512
7bb53b2b670299b67effc1f092d4cbf68105e1b241ce8325556f3488584906ae0f66dee851995414993bbded8a64bd8fc66081161091727d484293c40cb30afe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
9064dd9ab02290af632e7c2988cd9766

SHA1
0b4aa64a498766bce9f7084376bbd683f744b05a

SHA256
2349fad70ee8671002cfa4a16b0e05f273bb47a06fd115fb5f7cd62abf9cb2f0

SHA512
748f743b96235380b64f4c8fce519cae4f1f89eff5d1a0981437a90605119646f688ae9658d6557ccf610b7c2eb7679c73caad36b9ba07ea07018e59bfc0b410

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
1.5MB

MD5
3ded08c1243614a0b4a208f9bf9d06b5

SHA1
698e35e9659be2a0697e9b29e4879aea151d7aa7

SHA256
8ebdc20ca480710110a65e7244e9af4c74f0f978c72585b06b79601b19a3d3eb

SHA512
887f3c6b63a0dcec02fd96fd80bea00acc79de456008f902cb224f5a60812c5f2a6144cd9d12aa783b705447f77e1a98e6c797fef95bc45eae906823359d5c1d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
a9ed60a723f72563ca1690188ec4759a

SHA1
63ce5ab3b1477a8412fe9429f98c894aa0717baf

SHA256
af62e4e9288942485ca58414f9532228c4e64e3daf31340dc99d5944034a470d

SHA512
96af936f4eb20d2cfcd1b2af15289a4ded44cc606e8b86d4b59ffd743d1ba01c45c7490aaeee074bcf0adfd68e970195aaeb1a0d06343a0bffa4709cee6d2321

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
4efe49b89f705644002f0aa4e7127d3e

SHA1
c7120aa9fcb6a1121430f8c4d7237a2f9951e29c

SHA256
7c43ec395d36b84a6002af09606b133722f4518930ba69f6678ab00292dbf389

SHA512
567fefde08bc335a5d74a51e40ce9853e14503c18bd6db1152502e215b4641c2f76fbe4ea9f03607be5c5d142446b65a585f273dabe2248c6d24e53a580eb76a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
47c181d762d4c269ecf0e46ce7592f32

SHA1
a7daeb2ad762c7f9a902d38438c2f4456b193942

SHA256
2a4ad5590f2a1e134c3de0f3963cc6621850ed5834c960cdb4b7317678d55912

SHA512
bb8bd63a884643688784f6d4a6573645656c23438e7cdcccaf2bae61b5751feda73e219310016ca5713959aaa08c925d8b4eb2f02c54b53324327f1e880a59c4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
2dfd685e27560b4a6e60e605281ed1ed

SHA1
52948b103cc991e3cfc57f833363cca43be4a881

SHA256
f80db195afbf393867f81d20aff761d517e4dcdcef8b9e6ca64d44701abcbec8

SHA512
564794eb13068d9b8199e7a46da60049a1e25c63f1b9e9db0394704bfa2719341688636e72a7e43b49b13e6a7bf3020db9c70b7b20548111c657003d96ff2c13

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
9c69c2758cf4a980983de8cbd2355a3f

SHA1
85ceab3b0c1ccc905c62ba42e182527971ae3e78

SHA256
54aaa2532df1d040898e4afe6220919b6c41ef53e640334f35043cc06dd88946

SHA512
4df2372dd94a1e4a09508589c2a27cac6b55a1ea18310cb8abc7a337d570e3c0d19189a3032da36fa60cceff8bca44fdba4398b3d3e527b5e9bc8f046123fa4b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
e14259a8bd84d401695fba3c55dc1510

SHA1
d665ab3c6272909d9f22ef96f552d430381384b5

SHA256
b24ef1b1b4e55ed0b074d242822e9033d3dee5225abad5278aee4ff3eeacd2dc

SHA512
c628b5056f6d67099e4aac87696e9aa4e8f952d92bc67e95de2f90074348db4dd9792e1677a43e2cebaff83d0c20dec466120dc9dd10d7bf8250e871c27f74b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
1.5MB

MD5
9bacc1d552f1507185aee464b72ef6dc

SHA1
a88611a4e3767eb1c169f11ed5886aed495a0519

SHA256
64b8fc4bbda042d3f2298b3696c106d2926efae89c71eed0caf3ef49c414bf36

SHA512
5333406870ce6e83d1f94498f777c52da4075d7a956bf4338f53cf20abb9ff0d4d1fb8d8b97a719550143fe2cf7cf0cbf760a654a095b0725d3df23ff2aa5f2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
1.5MB

MD5
54429a2a0a32c5a2d68415e5e6148b74

SHA1
31b1375d6aca40aa16174f4740f3f8059d0e8a86

SHA256
039ca683ccd14b4be3bed38b1d811a73d7fde07e598ef455ee4594d187c3344e

SHA512
6844ffd56666133175b5c70ee2c763bd9e9563a0251b45db87d61c07783755b06adb29be732eb587c5af53ef29e9082f793378b06996446d22c8ed86b06303d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
1.5MB

MD5
e3a84272f189f83f777a558002168259

SHA1
031a7c0752f24be4551fd1a67e08ba56f66d4bfb

SHA256
9691ec7c60dbbb449310aa60b61336c6c7947cfd078513836f5310537f7ed902

SHA512
25d9ca04ebc84ff6186898cac2bbde74fd4557e74855f5d2b5ba27e33cb868e757e22dcb06b11c3cdda08ff391c8bed791dc6597c9714eadc34a0ece54811b18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
1.5MB

MD5
c8c3962578ca5044328ac1e0b388994e

SHA1
a9050c1ced6dc51bd803fd9ace9e3008d9d52697

SHA256
13e8d38a92502c87331357956f8bc02a804ad0655c995b6e4a4b33b7a81d3d8b

SHA512
1bc5dde985d3efee241c8dd3b47da921b9502ac9a44a46b69062cc993691d7b1a965c291ef9b5fb0f0ec1fbfd7c9304ae3e5955567108f5e842489205071f7da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
1.5MB

MD5
4315c201c18d8ab369fc731779f44533

SHA1
308075bff9262c3f612d0e268d520e7c16a14727

SHA256
1025f85915f96aca36f034eb76d1855cedfde76315c34c7d7548f468020d0d34

SHA512
cdebf5c2e4181ad7c7d662e7707d27e37149a4cb84e437c97a7f94a15b739693bae09421f987f99734cb57ea29690502ab6d6e2527d83a530e10039f8bd84267

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
1.5MB

MD5
53ea3a6806b979b854e59ba345ac2bb6

SHA1
ddba8cebf60aa75616ad218dfac9301e2cfa1bd9

SHA256
9aed23ea6a180d06debd62fb4b3fa6c062523f7604b13ee1613d02f262b9e93b

SHA512
eb463db9cc4dd46c0e38797f0b5208aadbca361b3ec0701bc3a359e165568c74cd46a9e164005eea32c21f8fdc22bdd802b9013589b9c67b7dd4c69a2f27e926

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
1.5MB

MD5
7ad4411a78cf6e7981a518c2ebca1876

SHA1
67dcab8c7054e806f5fa6aafd839d97ad2a31bca

SHA256
52c2bcef9982e4f00ab65df1eaccf8d1972b942a5b4ec5ba3b4d276bc6b48253

SHA512
0b518d89fc790c78e31a93331d67301d9358f0f50b8d32631cbb5482bbb399adc5ff78ed38b620a3c75249d693db2892c9aac69310e58068b5101daeeb7ebb6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
1.7MB

MD5
92be69f851d8d56f2c876a622d3db44d

SHA1
2c96ed307639aa5efa86b632a9aad15950d875e1

SHA256
617aca700d914761179263c7a39dcfad17c9194b82b6b53da91de2fa10ccab7a

SHA512
d9882a1d9600190777b3feb429b08f3f467c815ab38d724179feecb733e327abbb01bd3550dd121e21ed40fda9a31ba3ae6de9c25e82b285ffa204b06e2673c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
1.5MB

MD5
3a35fd627009f866c06776c1c25231cf

SHA1
705e1fa9afcadf92a4dbe6277c5ac302947ff9a7

SHA256
5f663965dda216b29185b7303127150371e4aa864b4194b0b04964769ed41f13

SHA512
a27106260435ca92fb84bbfe51139305b596ed1ac8682d7156e2c01d99e3ee552e79a215f0ee56922d4208c90f06bd5c6c27cfc14b7ac0c2731fc2d02e286340

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
1.5MB

MD5
34375a7f9e374578e3e53b2499d8bae0

SHA1
834734022fd5dca5984b6e80984b2dc1b63f1e87

SHA256
53ed199d1959d08320cd097b3c676cb0484bfe221d8ae9eda92be6fbc418283c

SHA512
4d528488a53176465e4e055b8485b8545994a1012f97c4f315696730c43de1ebdd5a0e4ca520e88dca61688eef5140d86e66d43fffc583eb31b9fea50f70863c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
1.6MB

MD5
e85fb263befb31978026dd9104d6dc63

SHA1
df225831efe1ad11d029272ac7c79fe322bc1703

SHA256
b3a1e9160a79d6b87980adb22c34702287c7cff2803653139ff6bd57d28936ab

SHA512
043b09eb90cb4dc609a00bc2f033c9df1bab53cabd740db56034ca8a7b4eac4f64e774a01e4eaad6fd148ac3fc897116a1b571036a61fb5881849901db845089

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
1.5MB

MD5
ffda7b111c0a8e38755fb04ce70e69e2

SHA1
e9fcdafa078d2128f5883d483444811b0c678bdd

SHA256
05e3963631faf87018f59a7dd3da2d4a6353d20484dd7becd80aa950358d8b8b

SHA512
4889d93f9cd183561d582495c6e79ef865cffa8774b89cb2413040f602c5409976c58739ee5dbe7c12fa8320540da36bdc32bb8047bc28a467eebb5142bb595e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
1.5MB

MD5
d5ce99fa8a278fa7187600b2126dbf72

SHA1
31c2a56bb9dfe0247713502cccabef24eaa964b3

SHA256
c2f07a4fab232fabebc2ad3699bc631ad34dcd1723a9a77ed2187137f3c9b226

SHA512
78a9d99aeedf8cb7d6d94ce1f82fe26c2db7016fa193700a03b33940b5acf08f9387903294202a75f20f1bf5dc34ea33dcab68fc4dbbb2e556148eb44dba164b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
1.6MB

MD5
43aebc519d56b72756db0ad3ce39b3d1

SHA1
3c446aba0d21b04b24ca03e0b767748c75f388a5

SHA256
e41568b1a069bf81feb7609f9c953f18fdbcd30397471bb880036d4dd1dd6d3d

SHA512
462707f8ab1e901747bebe0c137435a01e627f17d30e8fafbf107d871c438d40a8c3992613be3566d764ae61490aa5e3cc17ee07fa97d40e3367302f69cc1269

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
1.7MB

MD5
bce203e981cf73499a6e35ab0e64e613

SHA1
da61b22b257df089d42e7fdaf677f0bbe6b2b9b5

SHA256
de4746508650242a645af8934dd4a752245fc9afcc8fa26edf47290e64efc99b

SHA512
b0ccaf09717676c691d5a25a565954a966e9b2512686c23e29f920d738039c58e3e20d4caaa4d1c775bf13a1702573408933eee304c1115a63923dee84b5db8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1.9MB

MD5
bf01066a4833b83446c7337bef1f974b

SHA1
04c1bbd68870a7e9d3093fd5ac4fe395554d60ec

SHA256
653133cdd0e204aee19adbbeb0b96fdf6c32a03b0d9c0108f116e185b4692def

SHA512
29d19e2c6609b3e2343fa3cbf74b5e6397f3b54959baa0e4153e33ce46f035b1b66a6212a5d3c43d0b6203785d407b25c53eae0b736e73dd483cf3c9cecde1e3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
21b90e2d8fcb5c151d3cbf1de9d9e956

SHA1
b2fc4735b56d5a9b50b562da0016baeb632d75ae

SHA256
23a4750ce0fe638c50698ad4e0a83f89cf70e5f615ed35a95b4ef4156f47c596

SHA512
6e905d253c332f5cb871fac962f80690d2c76ee5e7732a85ccbcd505ae5a989eda2da9b99a7559f598e15cdf2738dff5ddffdbf10762bb036884cf2fd88ec5a1

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
1.6MB

MD5
7b992eb7b166e3c770ab5e659bc80c24

SHA1
b5e1b2dadbed5f9da3f26475b99405808842978e

SHA256
2360deb9aa732fc7e24b610270421e40eb97cb305d67a92bdcca88f083ff2f78

SHA512
5ddcfcd5f21961f2bb2e96c55a1c5991a93c8b67e247b635c75afe9da09645e52a3d8a69b0a05358bee7dffad8a193cd1a741f12eea41d6169a42d86a21bd062

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
cfa645a12996685d52b6a8a6b3534c7e

SHA1
3440c1b232b128ebf6186724fb98a4eb838397ed

SHA256
274d2ee3c5ad02b559995f72ad7afa8366285d6a0019ed1d011667f3ec53cf9e

SHA512
e80d559ccf5b3a8c2e89ab15e4ba4e9af28c8617eb0c158c2beb3adbf7a37e07769b35b2bd8d69eb3f099918861c063458d4e4c33d996e7493230a9b108f8461

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
de0537a5fc1596bc2f27267c6edcab98

SHA1
f757316cd74fcc90e4c7e3b2a802fefdd0191154

SHA256
3b3c808e0b0011b7caf630f64d7b5036545dab5e26c471030b21eba1093f8b27

SHA512
6e8a2a411d802adcfe680a11c9112e83a2e9c1a0793f2a395857493fe22f39fe7673fae727fe9fe0a5a44c6fa1142ea4a4458d20ade62831213b9373e1695c1a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
446903bef15777122319f8f4655b2ad2

SHA1
65b3846f97125aa5f0d2c22c0d1bf186d647964d

SHA256
c9f3c40a7cd80c05d73ce375952a8c9fdc8ac3b5e50429caa380084416c257de

SHA512
f3c778c33d726de75b492aeec61f7bcf029b63ce69166130a389f8a0007546556f799a96e85338216f790d7247888820ecb60a2080688b2c1e3c2a6836e7cae9

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
912b2b23b316133f4671bf75de9ca8cc

SHA1
d16d0f30fd0b193ae7609fd9fd004d525777cae1

SHA256
999bfa518205784d3d287b997ef1638e1a5bcb2d866e67d5736d827035e5f2d5

SHA512
087deae041b6ccc7917b866ca2ec3b1dbf14049a5a89b9df795a9dc05339e6738c5dcf74cdbc2e51746324d8c768ac5c79ad91f3b89cd7bcede1db9dc5ad943c

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
0ab42c5236a8504db13178434af28200

SHA1
fd7c77355dba3148d4ac2e20116e76274dc0caa5

SHA256
146ffad86c8db29e08b8a52c1d13fa851a95e79be23dc541716d05afbe4c1d4d

SHA512
a09d21b70ce61470368a63f228a8e53f26adb5c84fb4c53e1c2e3a9204ad643f2c2f648c996deae85a7c241f26caa8f4a944e6c74fabe9e1779546f5e7423118

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
434307f04eadab5a2a54c5f29b65f8cf

SHA1
172004ae588b51e3690145d0f32e895def8362fb

SHA256
d81e783056309e9ca63a470251dca9045293813e5ce423515e0f61dc17546235

SHA512
4255c1b2981c7cf64df46669596b6c595a19ea45bb69b98cd8f4dccb1926ebff485a4abc116a720571e118fef63ebb51761d6255b90a177773f2249334dfa2d5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
9b0642a2639395eeafd3dad2f60beb72

SHA1
5b1d6303f67a8ae66f2b7e67ffbd48c4e20bc668

SHA256
c7c71c70a5d4f58f2c40d819d90f5fe886514b0bd540d31bd32dee268ea2dd86

SHA512
ae478b1eed1e941fd92384bae44d886c13b86b839e71911c546552a8021bae33ed0145b8baec2271d9d247e1261b30104949da747aa0d624b711781e4a6c52ab

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
c17992181393bc769180cd0e66a9eddd

SHA1
92f62eca674ffbf8e5e74df49f81b99d95227ae2

SHA256
a4be582aab2418c07425be089aae5a1f4f5f5f13ade2ccccdede321529a4f2ea

SHA512
85840878660e242e6f9bd30f55adffdab11a099d1b9e28669f434ad37407662d1f65f5776f001b42ba248da223c8a976c69784bcfb58958b41358cac8c6cb4d5

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
20b30759fc38e69129bfbdf19bab6c6c

SHA1
70b61d84d7f28a2f5116e9609e1c1ea7d0f83696

SHA256
886e6ac607dd9f58a3e66c2fc96d35f4ec51176ab8f09b12ba117f87de55f222

SHA512
bba473eaa0d8cdcb8003430b3859f389be67cff48072ac8c9e3a1c0a626da002bfa93d119e68aae916088f6bfd93a1b81c4b3f76567a1c2e78b5d7938e0d98b9

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
3a162f22f378d2cc45933045f5ebfa48

SHA1
3c854ce6a723204c3ea0bf1fafdc0ee5ba9ee506

SHA256
c53ce2916ad3898941ca270666bcb2c5d092aebedbb810aad0070a9bc179be32

SHA512
772adf7818fce65b647db896d28003aceb50c0c18a519808e76e3eeb1cfca86d236fb465386fcd89d97191d119762705dc0cc84b3cb34ca86700ec785931c8b3

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
6c238461e03ca1a81b67257f20722da7

SHA1
eb6b796050c1d47ccbe16bc5167d1262020917aa

SHA256
43908a2013de20f4ae2ca32e12611f4f54418e7e96794c7990c3947ce0fbd3e1

SHA512
7ba0ce2b498f73924d68917b02d8527e82c7ee556517d47a9efc841f8436c00acfd102c3463cfbdbbf491b05a1913ea594fbb3f298e20ff333ca32c2747f22d0

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
5942f5982b845a456144511e2b1021aa

SHA1
3adb6fd71db6635d1b94df253e9d26974f068525

SHA256
fbf6ce22f4bdfdd48513349361560a767f7bb71fb810b1953af7def362246d21

SHA512
1de09726e439973937597861e5b42373421410c95dc846edd6108a01fccd5c1fc349f1065a0d400ed4f092780c897368672af487649a0f9b49d906916e265c9c

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
5a29c1bd273662c2b6dc3369fbb7b1f1

SHA1
f37b05c5e1432eb3826f1c66505a4613bcc26867

SHA256
a1edd7181bdf8fa5e66f0ecdb549c6fc306a637e8218d0353c420044ac88d411

SHA512
c2b642827f09e1d488b145edcb8b918c0e62a88aef4f35927add67ce6c6bd4cfabfbc4937523c7378f795a55555f764e41e6ccc09dddd7f65295c84a4e402e48

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
a8e2029b56fb4d307f6acbe6b3f47a69

SHA1
7acd3a60fa8287155928b4fa6666f83d116deb37

SHA256
f32fa47de74750ac0ac537e5e696a402d0d52a80aecbb3507758f56aa2694a8a

SHA512
8f981037e02c4043eaaf0ed36ff2b5ae0e3da87005586cf6849ce6ffb3042be0dc1def88395964dee58e53a366f029d67ee775ee70ee83da0a01134d8f859e4e

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
fc2f72df1447113976b634799324b97d

SHA1
f3f8ce180f667f505e502a1f4434b5b0b2acc5e2

SHA256
f9edc1b30f10ecd561773b46d9db86b26d4b67a266acb8db01af7a9d824cd0b0

SHA512
de5a4bc8d518c0f18ce520f0268b6f2d05c1b1c598078346613b8e9fd21cdcdc38731d41664807812e0b050f5fd25ebe564d399c198873f4d10a60c4607a32d0

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
b4a1fc571b0043f61d28ee8f469dc95c

SHA1
1de6ae497d83ffe94b1c1db04eb6352356904553

SHA256
11bb3b0d9a8bb63764e0eb3c648697899ba49c0153bd829e43bcdf3515309407

SHA512
3c93277366fda0cf844b2261f504deb5019934f09c360365899966993b0be553f926cab70e48aa931074392fc00255e45c040a6c21646242ef7995b45c85902b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
f59d1d056496ded5a508b5d33faa2cbf

SHA1
4c06f26403f8cad0ebe219a49bba79104b80102d

SHA256
8d6ec9e896afa3f659f0da4def1047b1916eb6bfc79cfef0efc80717a285e7e4

SHA512
56b7c61b02b89454e859b27751067f0e8b33c25c9a12ee807ea346871ac41ac813899db04634a84878a63bd8465545bffeaf27e840a9465bae4a74750e475be7

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
9e45ea4f59a6d6ea3bff9fa417eb1c3f

SHA1
9067a3622bfe89bbf763f546e7da0c25ad6d6b40

SHA256
c601d991ca6e09813aeb68897c730e6dade691cb6c7a9acfaf8d935e375eec8f

SHA512
f357bbc716e79b258418a44c8e8d3044102ee6d4f78dda8294c0fcff27a2bac982a087e98a8aba2c45ffeed05b2a3ea7ac46d9f09b6fba9fee9a005deec7c755

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
cfb245d0100ca91007e0b70de3f32e3e

SHA1
06980808a4eab05d84d0ea97c1016a60e9132917

SHA256
a24ee92119a99cbd140bf4f27a36340e3d2697fa27db23efb21c4c6d33707f6e

SHA512
fef21198fbdb600ad6a089d7ba902e401b1c727d6741d8cc331fc7bf91ad8c66883540675a10be6c88436047820e5506522e63bcd88e6f1e896d892dcb11faf5

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
6752bfac9135d5ece31fab8cab3622f3

SHA1
7997bb27b045ecc960d0ee13e0743d119d7916f9

SHA256
2f667c5f2988dded9dc9e43f1e1fd5eddcc2cd76fb81fae18e6a3f63949a6e0a

SHA512
424891238847f8da0b4f34aef10e63ca0c3c0a1b0a320248bf97db03e8305eb462919d4431a0a5dfc9dcbe02b7894818131ea51ee42d40a0c7a65cae57451595

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
c6304369727ced8f6cdb76039dc16a63

SHA1
ae1f5f0720e981a34ae73afd5ebb164e16b0d661

SHA256
e64162ac6b47dcea15fd216dc922cb7cc4fd1899083ae7a0785bc9fd68efe069

SHA512
14d830c81daf3c598ca1137c072308a736e97562c4738586e22bf291cc3b07696eb45c74be76ed5df567f2141346fc02451dbcf2c7797782947423c4b3f1daaa

Download Submit
memory/860-284-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/860-179-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1100-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1100-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1100-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1100-247-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1528-788-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1528-308-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1944-787-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1944-296-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1992-152-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1992-155-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1992-143-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1992-149-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/1992-142-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2220-285-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2220-784-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2312-789-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2312-328-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2352-333-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2352-790-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2584-200-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2584-319-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/2816-93-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2816-102-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2816-194-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2816-101-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/2996-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2996-114-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/2996-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2996-126-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/2996-106-0x0000000000950000-0x00000000009B0000-memory.dmp

Filesize
384KB

Download
memory/3624-88-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3624-79-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3624-190-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3624-85-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/3744-234-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3744-117-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3744-125-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3744-123-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3768-167-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3768-158-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3772-195-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/3840-696-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3840-223-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/3956-248-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3956-702-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4140-198-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4140-307-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4440-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4440-270-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4632-486-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4632-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4632-157-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4632-1-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/4632-6-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/4644-701-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4644-235-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4924-703-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/4924-259-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/5112-700-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5112-211-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5112-332-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download