dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17-05-2024 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
Size

1.8MB
MD5

edf7b10cc5eec86c9093ba1915eac5ee
SHA1

fa56b0d71655d2a0e7fe87f91101bf5755171948
SHA256

dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c
SHA512

87ea23ccd0ce088a1815c3dfd02e9e98b37e43f0ea50dddd2c503c8adafe783e35f328a516afb63569b73cf22c92dee12e95856b6c4c0c9e2b3f1820465d5d52
SSDEEP

49152:rM9QPdxwfE7WlFwKAfzuTiDFUFkWkQ/qoLEw:r1PdVQFwKZCFgpqo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5084	alg.exe
640	DiagnosticsHub.StandardCollector.Service.exe
4968	fxssvc.exe
2848	elevation_service.exe
4352	elevation_service.exe
4584	maintenanceservice.exe
804	msdtc.exe
1808	OSE.EXE
3848	PerceptionSimulationService.exe
1568	perfhost.exe
4588	locator.exe
4952	SensorDataService.exe
1952	snmptrap.exe
3028	spectrum.exe
2112	ssh-agent.exe
1676	TieringEngineService.exe
1716	AgentService.exe
1592	vds.exe
1220	vssvc.exe
1088	wbengine.exe
4836	WmiApSrv.exe
1804	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\wbengine.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a13c01dc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\locator.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\system32\vssvc.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM472B.tmp\GoogleUpdateCore.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM472B.tmp\goopdateres_iw.dll	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM472B.tmp\goopdateres_ar.dll	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM472B.tmp\GoogleUpdateSetup.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM472B.tmp\goopdateres_te.dll	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM472B.tmp\goopdateres_cs.dll	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM472B.tmp\goopdateres_ms.dll	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba8189c0efa7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db09b2c0efa7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b8e72bfefa7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1dc80bfefa7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8e788beefa7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1ceb9c2efa7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c41f87c0efa7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000748fbec2efa7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe
640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	972	dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
Token: SeAuditPrivilege	4968	fxssvc.exe
Token: SeRestorePrivilege	1676	TieringEngineService.exe
Token: SeManageVolumePrivilege	1676	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1716	AgentService.exe
Token: SeBackupPrivilege	1220	vssvc.exe
Token: SeRestorePrivilege	1220	vssvc.exe
Token: SeAuditPrivilege	1220	vssvc.exe
Token: SeBackupPrivilege	1088	wbengine.exe
Token: SeRestorePrivilege	1088	wbengine.exe
Token: SeSecurityPrivilege	1088	wbengine.exe
Token: 33	1804	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeDebugPrivilege	5084	alg.exe
Token: SeDebugPrivilege	5084	alg.exe
Token: SeDebugPrivilege	5084	alg.exe
Token: SeDebugPrivilege	640	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 2164	1804	SearchIndexer.exe	115
PID 1804 wrote to memory of 2164	1804	SearchIndexer.exe	115
PID 1804 wrote to memory of 2592	1804	SearchIndexer.exe	116
PID 1804 wrote to memory of 2592	1804	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe
"C:\Users\Admin\AppData\Local\Temp\dcaf82e78639abd07419690aceae88a3d90538ed1be3b12825720b7e289ab86c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2264

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4352

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:804

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1808

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4952

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3028

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2204

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4836

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2164
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bc29c8a08627d701898594e98e7d9e6d

SHA1
a558e09d9ff104c8627c1f91c0dd3a3cebeb30ae

SHA256
7f2945741f7c7328bff76203e57486c94ac1d33203ee06f3a5a51175baa5bf80

SHA512
9e5d0806ae47899f09238a2dfb1e815c25e0e956c0ae7f466a82c0506bfa055a5c70c2dd876dd8711061c6cfe2570b2f4128d211d4777b4db0cf34281d58d5b9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
abe108bac6d8f11c03bf52257ea8df42

SHA1
0627cd18988622fed79485548557892b201dd193

SHA256
c3c6cac2a0d8f03efe1ba37cb5595e96585afb52e63a84f915deca0a8e4d4c1d

SHA512
2ac83ec3fa2df8ec1a8e7d94ad2b2db64eabdca60f6404695260db3c46218c3f5ad7d9172a1991055c16ac533148b46d287a7ed2a100bd841125f3a56bb0548c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
20813e8808b1b96a0375696dc97f76e0

SHA1
2249188afa1a873265c77c834b32a497a84dafa2

SHA256
1545c5130d1cbc69237f0cb64d37bf4b8c561ba45aed9a959775fe264c8f4c7c

SHA512
100e1973d3db4f2a72666395bf96d8c8f1fdd9b7c064804b482082d05929e07bafc2c1473dc18ba771423cacdb870c881315dfdc8d7eaab52ef3863a2f43e457

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9c0aa01ca0e0d07caab171d2b41f2e31

SHA1
9bb229d1bf293a10c0acbbba11c9577721449ab8

SHA256
3c5b2390ecd20f6b460f59d02828c00b52a9aca5298c5ba790f5c64f66b84e9e

SHA512
94c746a854b16bc2da8a2c9810e20fa3bdd2573ae9c0ff17283e6e90ca423a01e37f6ded2e6ef03702dbcd10ae79c23d65a0a315dc68e1138cc6b59d5e7b39e3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
106eb27e3bb878896b6e6dbc84f1f9a1

SHA1
0de2d0b0bd9f30ed366dd9970ae3bfc16f3b63fe

SHA256
709b572c82e962f2f6b572be6fcd0ffdce000c8368005bd64cdde9328448c589

SHA512
07ff83071f018222fbaed1205c595bc60d287cb8287644dcec1722c86d91427c7f83fbc051b36a89d64d733c4ae5a4458cc09dcc2b46c249e3a45f0b358e2af8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d4b7b856557928de134063da72b59c8f

SHA1
d8d5ee122e0b2133cf86242c13626b272da2ac05

SHA256
8bf60db489edcbb3eaaa2984f3ea996620f3ec0570732866f497b1ace4ee63ec

SHA512
9a316250c7bf579da0db83094a596b60756fc35090c00639a4856840230ff7e872ce47ef2d020a52de4822883fd5bbe6205a0b0aabb4018f206a52a1e9fc56df

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
25ea9b970406f117b3e3f23e5a235694

SHA1
c986587b5f7862fe98e24bae47afa1ec5e1bcd6c

SHA256
f55055685cb93aaefccda90420a96971279e7d1eaf1227eb7a2b44147d2f31ec

SHA512
9adf62ab4c7ff62fcb27acb74d5868459b24a0cef6ade7a048f267ae3f04326c5c4694de74d75786c8ad19423cbddd352a79c51a6b9d43487c7ea2df42b39d18

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4694afd12a2ad37eb3d114d36088067f

SHA1
3a9150cde9db9edf9e99d3f096b3a3b707ec17d6

SHA256
37619bb87077f5b3d3668766e30d99639573aad0242236be3f0dd5a6c0239335

SHA512
32ff0ed1f87b174d79940ab6fc32b596233f9b0dc5ab1a888355168aa7c8be4d4187f4677fdf0c4d16495b471113097578c333b645f7dfe643ff031473d67658

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6dc5ef2abd0cc6dec4235ebe5df9b9af

SHA1
9bac8228e96f81e0873a0b02332c6903d65090ff

SHA256
8ee45fb4f50f5bc9444b7eb4c7916884f0e622a5c82502d6d6111f18a49e3d74

SHA512
49b6bb0615cb7d2d0f667c854586052646e9ded4bf384c5fd3cdd3dd3da38b6922dc6c8eb13852b2c172d80ca2d5d3c3019cc239248359dddad34e577e8ca203

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b30157d17d9c3b97f6dd3a4060704345

SHA1
c51a4ef1fa6c5a67db7340853775cddf3daf360f

SHA256
d196f8eedff38dc53818795d3c9213467814bd938ed9caa79946dee66ca0e9dd

SHA512
305342c1d47c4e478a18c25f95b159017c4331383dba36c9fe32d8b7aee56a81a0aaa23959fbc456f2d329e7b45fa3444f2f511fd2366e2cccb2433d251535c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a370676e7414a8842c9b554572164b85

SHA1
fc68b1283e093acd7b5a68c17f38e6668bfe63ee

SHA256
be02135a8f43835b29f51afd8e6097ab1f6f9d93ea26ceed3d3ef52f328894d7

SHA512
bc0f35f8a85f757037834f90d959e3d4cf7a69aca27d3c8e2b887584f622625dec6522574949a1f960be641f835e9680fde92a10c0abedd98e8f18a0bc978ee4

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
53d0128a3431c905c56f00e56d8669a0

SHA1
532111c43156f33226a7dc58864bdfefa85ba4b1

SHA256
d52bcb289f3b74bd9e83bc10d2eac7984fadfaff670ab383b7e9d146e9161c8d

SHA512
5aef51ad24a4334276b2ae40dc93b9ebc2f0cd4e49b96013d99aa2ddd0a45f47863d3c422cb68e927cf69b5bcd2a84d6b57ab195aaadd7465ceb392ea7ca820c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
7c3b5e2d118a80112a908a89aba19e6a

SHA1
f249f2d016b9bd131f29fd46e8c9c6e35d867078

SHA256
f18b6cc5217e71f8040374ce22a2a58d5f59f79236137612aea42188deb76267

SHA512
aec11c33189880940c71245b3e9dd2f0534486e4f6f720498a409d4e97c78832763e4a0a8487788fa49cc8af4a85613082106171192b8e2111d06bcd3246748b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
21e97ef027f8df2bdfe2271226085537

SHA1
207394ff52f081d2f514a95b0406d6fa1798c5a1

SHA256
1f12a1654bed984a1e527dfd20653f9760936867efaef27d011da6d84db0de8e

SHA512
f0b7d656169ad4252f97f0c8d19fad4505f7c4751ef4fed2baac74df90c30b18c6fd91ef7bbdcb08bc9cffb7c6a37472fb3cbf56604b25bf456446764777c273

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bb5314a5460c708d625602ac5ea06327

SHA1
3e66db9b029e62b3c3a28968f794c29d277696eb

SHA256
02355dbe67adfa7c915c383735ba721b08a1ad063b4ccb39421ae89e5b86d5fd

SHA512
4a2f3c276d220ef3d21509d487f818ee8436afd81c111d6b3c348f4f60eace4273a8714a41dbb7eff3c8acc4f052985610795a39c6a877d4c7ff2445176f1125

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c338f7ce838dc62e4dae0cc0620b0405

SHA1
200bf67b335871cfaabac3dabf34a5990360db86

SHA256
af8fc68144b88d335853fbec6d526db4bf13264085e91bd9c2d8af78d9fec070

SHA512
9de0bfe8ae779bba558f8d79009b0849f19e650cfd931f06dc96e6dd0e069fdbae90b111adfaf6b17c1a55152c22f8f64eb314edb684fadadb56952fa71fc1e9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2abcb879a96361f7893989bd57caf741

SHA1
4eb1ce05fb67a5f55a7de0e7509e96754a04f41d

SHA256
f25729818a1a813d03fb7fcc7a65be8061c042ab1f80ae9e4c97e03d2a04cd16

SHA512
3290d5982f7b0928b3676d92b8d84a2541e630c32b94261cfa94f0429cc6e55e1d518946579575e7a3ed2755d993b5f65e1f5ed90862ce314f176e7fbcc6046c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4972a60964ca4b027cee2768dc36c252

SHA1
e8e088ba157468b07bc5f6039fdac3c071620c93

SHA256
87a0fb0484752e2ec36ba40a0f571010bc04ee7debfa386ea0a8d20191c6e3c4

SHA512
06279f66290ed323056e94bd7b9eb8199e9fd49094ff00161cbe3707fbd92fe27e5614cdf9398aeeadee3237307361bc8f58e53391a2172c44eac98fadc573b3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
430a8dc50afcc2f572bc10658ffc0c0a

SHA1
88d4e652db5b8496b8efabd82bb16b3f13d5be1e

SHA256
f4fdc585dba1da93eb4372cb26c4fd786ba25b7d8f08625ad18f3f3a175c77d3

SHA512
4aafd931361ebbb6e58b9063b1e466a88961b77c02258ceef38d4aa21d498a9e2b93d6ceac8c6e52b9a45cd5dda1ca507ac4bf0650cf60015395e56502bc16c2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
35463d121ea40a2386f2e95e9e304c1e

SHA1
e3c052d381666b0707e0c9ee880d2455b4ea5758

SHA256
4ccda16ba2b6afee9657990cb90d763845d6d2353dab1536a1cd98246352ea63

SHA512
6a701bfa09ca941ca4e705acbbc66c39667f029cd0a5b563003d7fddbc7e2490444eb8e975b51b0a40e3d04ec322b9d276ebe1d52da703a43ac33d3bec3260d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7da5141cba4a83811f773be714d12c3b

SHA1
1ad168815a1e525db202b5e410e5f3950a20c979

SHA256
2a7ef90354e85c0d1c36cddd7d2b913061851151a877f2b40189ac69287d0e15

SHA512
a030755a669ba0e13a7ceac573e3ace55e66193fc1d35c9cc7b1bd8f204d51f9c54bf91cd13f103fd36c80e67b86b837e510bf3033b69cb4e670211ecdf936ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
54618a6e4be6be6ef0ae6b85e1087322

SHA1
0d1144ec9c4af883480167ec5a02539df8c07716

SHA256
a3870477198130f481c9733b7b71d91f33790bb9414fad9d6c01ca3e68c52d11

SHA512
675063e2abfa6e21fc7c0dc78b6ab60cabebc3ec93bdeb8dffc48974c4a43b9970c1a1a7f5a8bd396c36eae6bd185f62de6ca82d1ba5774d3ddb2192a928d67f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5b89332d1f2eab51eb81af6df887d206

SHA1
8903dfad918068eb36a8745d6ba99289d0d94e4b

SHA256
fd10a468b1202e5aea7ea9263a704e26286142a9d9c68dc4666797888ab75615

SHA512
e08ac2acfb918b8499eb183873f0fdeb3658909dfbd0d8ed3e2597ad417a8ce7a35fe38314e344cd611d0809b4dd2fd0874a0d9bb3ca70e13d23d15f0ac8fbaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
138d16334c3ac844d643a2af3d0dca5a

SHA1
051470d9affd6bfb5793499542a68b0807721c6f

SHA256
95a5f188baddafc87f3ba429078cc2f1441bea7033dc5d02ee1ab6fa32801a4e

SHA512
1676baaffc7bcbf81df49f7e11ca1bc7d683cccd40610ae7336d2425a7db705d00fa3a07d7df5806848593f3d1f2ea5d35d3fb7ded5e1b29f781be33c284b8f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
35a80ead14400ed778ba9a26b2738be2

SHA1
572aa69340965b9d1567cda652238ceee4fcecc3

SHA256
2f277ad578271d0120ecd18095f37ff9a83111b1039b3997298482a332207d7e

SHA512
f316c598f20bb6c160f51c501cb84bee04e903efc1dea62fcbc4ecd1f66930c37959e6d83f36731d83028c6c45da3abe6a1eac5908032acc2d7cbeb2cea69022

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
d6489321e7d3dd2fdc7ff87dbe6da339

SHA1
659d9b4272a3540a70a4feedbcd748294ca7b78d

SHA256
a1dd1c23ebaf6315391e325766369372fb8f022a8f559d523b9e6f38b6e5e380

SHA512
ed060f4042d99740fd726a185982e1d7995c654a97e60b22c712aa711d18730126c1f4c6b916d1f6a422ce2b290ac5b4a0745998619557e9d2f2185450b98444

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
335e175d00ff621bc1c61dd366981af5

SHA1
79b2d9d98e8dd36f1a6c426e2244c425ab337641

SHA256
370e0f48cd1a85ec502be603fe83a884ea7fa24558138a4b808dbbac439a3e20

SHA512
6edf86d86485cf0d13db29b1c0cb809bd1ab2f6d0cfa25456f2b9ae7866e184d4a42b31dbda1f71080a94b9820f9d512554b2fa4676f4611ed1dab2b793485a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
39205446586069b2f602037bdd379859

SHA1
fc8b87d361e9200340689cb86fa39687266d2168

SHA256
fe49452f56dbf76c280c45c77b337a99b773b550ef8a1dd471808423b0b97839

SHA512
06933285d2054921384a6560514341c9febc9b5a249e4958a0c407aafd400cb60d68e2be483676f1deb864de110866c903d9305f7dff3708382dccb673fbf4df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a63204777e3627b16e4d530915126250

SHA1
6b152ba245ec6784894272df3c1e601b38a5df45

SHA256
df7099b9950c647c3bdb49d9802443ec3d5d1d42d291f9746dff06024fe30f8b

SHA512
5c33f7b2d689cc6b3413eecaade60aeaa62b0821f917b8282df3b4b0f0cc5d16b27d1599a5d338cb2b0ce3a716ad5e1d591d2d2ba8c07bee41a8b2343df48d4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d17301f71753d45a3923598ce55defb7

SHA1
0a2229f3c75bc4d057fd7bea56ab99ba0b58a71c

SHA256
414d22e33538e953592e79f2545e0f4a972d2237a5c95815f569166194ed04aa

SHA512
c9bed563d63dba714aaa5fa6eba5ba53b9a5ad545d719d7db95d4f888acaa1a8bc8b3d82b3ab2efda16e89724dd87ce16c36d07528fb9a40863f686f86459134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
0cd8b0e60e568a3ebcb7ce887704767c

SHA1
ec46ee29d7b57894d4361c4be1416f031b4282cf

SHA256
a219a0eb02bb73f1553d54f48d47c0009495ccc8c7b960670f7cb651e899c652

SHA512
e52b8c60a701751a509a40448c3429e2e4e1c378bbf420759b3e97f11c21a1920893aaf018f23a2eb033c93eef6537194d2921246c5f13d33df5c02b45dc8846

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
333d1f8c62080d3103c8d08b809d1c9e

SHA1
034ab1c74939a1eaa7e9de0a34ccf3d77ae1cca2

SHA256
a6ea8f10b827995db0fd88b17176b515120efdee4bc7d8c102044edd9c8883ea

SHA512
222d0ac77ebc50494bfedf0a1ab0bb586d7762d2d5ddcd4ddff4cf6b311b078d2dd520a6a11a938afd10e15275f23ddeea1ea81777b23703e113200330c7580c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3a4efaafa2a50112677afe5d9bc9bcb1

SHA1
ff6b0022437ced03824f577d31dcf7e18c86f202

SHA256
e000c4ec85b62c0c50196ed8a6a62120d45b30f1c5dfb8790ab6a8ddcf887259

SHA512
867991331490106d51b33b0e2787869904bb4172db0ff761c70c63cebe99cb6f92140b0014c2972881566cd37a5b3d36d11f5db272f6843d9d52e2020279a846

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
3fb80ee786de59ac5bdaa38031096a70

SHA1
85794abfbdfba93c486af5a80136ceb212b85b95

SHA256
536ee2fc64a2acb3a0c974e848558412034eab4f69eb2928f4ff1872b589181b

SHA512
2ea4ad32751e8ee6e5770e7302075c4684d91c20270b0fff59042193c17566260546d83ed5e4b4c665a5e00dd774398024cb62954364820e1ad30442179f002a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
07e8e6b7baa38604fba18f9370d8a36e

SHA1
2dca9c95738fb2f8a10bee3011148ec628fa091e

SHA256
fcd2504bf511193ca51a61e362d2e791c027f43011108831800b1e705a4f7ec5

SHA512
c867dcb83e49277b4ecde5b86372d0c00db15a3537940977e07f7afdfbd2378a089d53dfe993598d0e07bf6c606c127cd776c18293ef4f8b963b33e8d6410350

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
21c42adb66eeebfd4175ae37c626b00a

SHA1
d4bafb089f54ee98991b3860de25626a346c8310

SHA256
7090ffa362fbd1abe3afce4d7abb84e754b033713ff2ef89e5021a0994a09dbf

SHA512
a7431e8119a870ab2e290f60c14655a768aab4a7bda303a90dcbc490290530b6d90bc4c85321035db5edde7d0f3ccad055d86806cd1e1eb40903307342981f3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
8507ea4595b502567537aac0463e8890

SHA1
cbcd51d510a2b02de525102a9bbcf2532beead2b

SHA256
d63240b10d1d38bdff438d8b9e5defa7553b4bb37191d296f0cd0f3ae25a5d42

SHA512
0893a8af825e55165a50423710767be3b903b7f18315285f04b76a46cd56bf64e42ad6df53ea6de6af16db40fb975ee7f8a38080e1b776c4c4495278bf49a20a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
61a3c61fcd61f71cbf011cd4a7c4ff98

SHA1
15815234f39da7ac862a2b8af1c72d94ced3c83a

SHA256
fb1f98e6aaed334b5c9c61e577ac49025f40ead4e8c122da3cf0049038da89ec

SHA512
bec134f0b89b545cc4c549b82857736a1eacee004b8e5d631a2e8945ea1b739fd61fa6f1331da76ac9ccf62e3c58855468bf6df1c240ebc194cb6b03f9786333

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
2354d8c41259e716eb284326f7fc4a89

SHA1
bbf2b70c9ddb594573f1c1defb03e148c79a5920

SHA256
dcc9a918a8a3494ffd72b92fd6defdf09a39d79237de1f840a200d21f0b3bd5a

SHA512
f01e1bde8a0f7fc8e7948d88af7cdde4109063bd826e21bda199fc4d86e7a1a488d1d7e064e3f767b4fef9bb7ce422979c0bbc85c6ed5451d46c434191e63569

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
db10ee0de6d009936f4a0470099666ec

SHA1
7f54356e56e45365545760ff262474811078a2bd

SHA256
381d72c5d9f0c31d47290514107ef6cd8f858db3a632e576a277a1b26f51486a

SHA512
e191e9af9c531c573d77a14a5d352bbd5229307d43d6ba8dc47123aca5b29a5ff31994815bb7a66b8fa5b8b9d7bfd52b97fac40d5a486fad8c71f8d0662ce60a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b058c966838ee2a99ff611d9ca244be4

SHA1
ceadd683aa186a70ebd42104b3e4869ceeaf2ef1

SHA256
3a20ad2ecc3221d04235f3b0d679ef98e8ffd9e9e93d8ace21d15920fce85965

SHA512
37cbc4a6505e7b2109b5af2dc2cec57524f039f3f64c066bdb91f36e11f24d07aa689e05b89fd14b3ba296673884aefd841333ec903bcfbc97012b1a57dc4f93

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
069484751d02c9cb51d3d460e5e7121e

SHA1
48a995d765d01aa140ac647e1c014e214780491c

SHA256
a2f44143ed43bdb671771aed9427bd6e437929d43fa88e922cac0066e93a0f12

SHA512
55702885b83c1670cfe67c82cd074f16848ed337c86005ce728519f2ae33287305441a55d94fd4b206fe231a99534f0838315d1874683a439a74a0423dc932c9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9e9622677fad38d3db39d8dfd2d98118

SHA1
a6cd8a9fe6e91b70b9a154b9c7eef31983b54df2

SHA256
6378c68b40b9c74a493e731002e7c752b92727429da27feb21a2b21a27675af0

SHA512
cb099e6089f5d20b3b7236e9d488d1099bade142701dfe4dc38b8c127898d45da1289cf674fd6704e3b43227769664023d2010d3ab0bd43bcf7bfc09db2ed0fe

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c52ffb154040d8c48a54958ffbbdfdfe

SHA1
a064139347dbe5900bb666b8b7467e3cea069470

SHA256
7eb95b06ed3d7dc9c7617741ad06ceaa9f57bfb1beaae7094e6271f36e2d7592

SHA512
d158df633639cbc69703ebafc0d23e834ab43a6035f7b827302ecba1f8fe95e7da8dacb3bb527100099ebd0e5b71403537967df9d7c775b4d03378e791f2b617

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
5c6256d72f8fd581d664e8b285ef60ca

SHA1
c144a3adce6ad434ffc132965e1fbb9e0d0a46d4

SHA256
dccfec660d774bbf82993d7473af731ab9302ddc0424fb9d4ee0dc54bb3e3dd9

SHA512
a83e20eb92117727b1fd3d085f013102a53a1bd694e2127e6057e616ff32bcdfc04a1e8eb48c6d79b135898c3f29b9b8a05f0e0e9c174a93425c1fa74a8be5df

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
0e57b9f3ed2ce26ec377994af2ffd50f

SHA1
d16649f742bb25fa13a57623d9bb4bd3668b516c

SHA256
61b7c8707bd444bd07553476747a0c39c2c243a1e621d628902040e573eb15b8

SHA512
9629e8ba1d7927a78c684292660dc10302f31d95ae897af78d6bed962375e7ad3ef65bb24903c788a1937eba9ae2814ac511226c2ca9fedef560ada5fc3889ed

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b6dbb2f2d3c099fbddc0cd786852cb57

SHA1
24c83be0f44f9a126e3fbb87ba4d32247cecfc35

SHA256
a78a4634953620edc408036c32864c1631ab36b83653779bc10fd113b768a426

SHA512
677966599d11c70d9b3e2ce0e4c9ee2270c1056837f5f0a51855e3a82ce4776b275554a8b20022e85be737bdd9779e18370d3b4646800e374fdcf0d00065e826

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
192712d81b33f69dd3c9245f16f89238

SHA1
f9782145f505b3bfe8fb10c55568d6f3363ddf5c

SHA256
54ba526a8a9d17e5420f08befab1f990252f6331f7a71eb72748dfad657e220d

SHA512
3e649f2d31cc5cc49635545033d676fec7a6c6e9ca7ac24ef4652f831376acbad28b7c0bb05ef28a49b4a40b8e9221dad7abc8de137eae419c45a13e9ead9ac8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8bf1ac85303d6096b6d8fe0b5c286180

SHA1
a65af5d4124e0461b4e6b2e6e5ab6d543dd8dc6d

SHA256
8649a495d1b5927057db6861548ecd2c9a25b5326428fd17334a404a843ab28e

SHA512
0dedc54d61032ba1e5de73469fcd4521adab90e34a872bca3beb8c82d5238e9b04aa0b90676e37a4a81e2b55ee12f490fb85afc0c26bc1a55ef8b87aeacfba9d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
589b9e20e08108a557a2503b7d09f952

SHA1
5ec72c19c59c0c84e460ab9fc056e0c1b4a09473

SHA256
e5241e5ce92ce5680ab9d024430e2c02daa79199b81bbf79321f86381f845686

SHA512
eae9d5ff791f861fb72fc13387717896b7451a20eed15a7eea27ba43711326e3d13a6d58b3cbdbbc6d702a7ef6a89e62492195f318e380019ddc975b11a723fb

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0f1016e0cfabc689908679d9fce929ec

SHA1
3185420c74f6f0fc13e5255ae59f63f3e0300cf3

SHA256
9e92fe59305a2288165345b5790920f75ba29a970be90b5a00f607ec60586a9b

SHA512
52e6f2902be06a7ed4e5ad4ffa8511f4c6dcdba34dfca56b9fb774364f3152d55dfc5d0e2b4308cc6f59a2d3cdcbe4ce2d5d54370e51d6406458c28e7bba697b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
cb292310208b480f6fbdcb53c021f64e

SHA1
a2a11b96cf31f3dba8484994a9587a1c2ea1b054

SHA256
3238f21a66b36a61ee4395900f25373654b34e8517ca73b6c125be5157883201

SHA512
827be3a52f90decfe9d13b27ad404c020ad134958d7c1ab57d03a52bee8cdec3ee711839f5bb41091eb33bfe6d3d9e3ce20868b34beba1acee2ad704c559f88f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
49920ba73efee45eced3a6e8979ad906

SHA1
de6bed79d02f357ca9208a8b3526bcc47f88b214

SHA256
ccc1a5f90c58c361e587dfd28f8849aea4c2ae4c98574121daaac8a2780d4448

SHA512
790968c7682c8980419de6b46d99a2d67ed54efc841eb7e6d76c80157934e560ee90a354b21e314c16b9dd5fff3b943517528a649bcefcf37b8f1922f72542f4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4127c0418e80d3816a46bfcedd1638bd

SHA1
7b65eba994ec730ad3757d0567bce39f49799025

SHA256
6e56685aadff9b5220999bc573538d07742e77f825f2b2f26133893fc54d08f1

SHA512
db67fc06b4e9dbe718402baed13c2bc2afb40cc41f3b5332dd7d79a2e74775d6236c477b76b4c34adb04823f763b7f8b0a3bf829e9e16eaa1f0cc0f901b12120

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
60b2169d9420cc95706757e40f619cf3

SHA1
d929e7a9cc1bd906bc96d1a06559f66aceeb9781

SHA256
18fa1ea28bbf3839d515777843d504dea2b8a1e992efdc9660d680127acf4461

SHA512
fb6e41c2d083362679dcfcee624af1146bbddc30e5a216f4876ed0977437c369957d29764ad6e5a61486f881e461c3a9b28ba582af6f4aa3db14089fd8521a51

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
d6d9a932e06825ec9b5d977c230e6efc

SHA1
3107b778bb2cc4a632dfa7b9dd47fb6fb480856e

SHA256
23acfdbc46edd29d08d7e631ba72b35dc5403b5a89176157e1518ae66c950186

SHA512
fc5ba35522e5519eed0e3cf758379895e56d3a1bc9eaa16f2e2f824a3202300136a097e38adc999eb13b980f0a5cd265d9b1310fedec088518023742327efee9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1c9e5e713d521db3c6d0851e779bfe4f

SHA1
d346cde6fa44858745bbe52d05ad39f66e0f094f

SHA256
4ab0d3155fd746073377f3216d75362ea7b9e228e5ce809a8df7f97146268da5

SHA512
19245f8ffbdb4dedb6e2fc570f6cb16882d59c41a55780daf4e5e81150c70f9d3d89dee4164e487b2dd37377de9a06bc70d319cc342d66681553e432feb76ab7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8c7abca73fb0ede0ecd6bfc9d5a9b133

SHA1
c35ad5c1a052a1614575ad00f2f588c68af655ae

SHA256
dc1177d41ecf40496f8b9178d24e3e64cc9b16b3f4cd86485527dbcba4c7e7bc

SHA512
d6d1a606bc75419e9548638aaeab632db8e73eb128d0f40d7233a2561085e475899e67623672ed8ebfc6f072d1505121a03ce82bfdbf9bf5680c9a69dd91e9a2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
995cc1ac8669346bf0d4e8a0fdb90bcf

SHA1
552ade4c7e02258c4618e52db69d9bc3e808dba9

SHA256
c267ae38e7ba23b5062ebb68423acd4d26b38baab262d8b3e9552de59e9afd44

SHA512
757312c937e1029c8cb8bb9eb05e2b022875e7af82c0506edd4637e2f4788bb5a988a5d3fc4c40c4187599eeef797fbbb83469945c290d19b147a1f618e74691

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
ffdea3406af8585946f1337bfa9baa27

SHA1
1d92635e8478526fff2b8b7c628072b0c4f63d74

SHA256
69c98111c4dec2fc0f1fc2b22078c53072ff2a2e73aec8a2fac243c580a009a1

SHA512
5b804e4220600fa486a28e55e60443d3f9dfc8537b3ee32fea68eb266becfba3f604969aa1a71696427f2f3b0748cc577d76dec54f50dd03e1cec38accad5857

Download Submit
memory/640-33-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/640-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/640-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/804-167-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/804-157-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/972-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/972-148-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/972-6-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/972-1-0x0000000002360000-0x00000000023C6000-memory.dmp

Filesize
408KB

Download
memory/972-574-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/1088-699-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1088-313-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1220-696-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1220-310-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1568-312-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1568-195-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1592-695-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1592-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1676-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1676-694-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1716-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1716-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1804-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1804-701-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1808-180-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1808-289-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1952-228-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/1952-615-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2112-693-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2112-261-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2848-247-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2848-122-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/2848-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2848-116-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/3028-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3028-655-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3848-193-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4352-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4352-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4352-260-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4352-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4584-149-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4584-138-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4584-155-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4584-153-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4584-144-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4588-213-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4588-324-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4836-700-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4836-325-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4952-345-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4952-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4952-633-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4968-152-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4968-112-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4968-106-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4968-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4968-150-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/5084-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5084-17-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/5084-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5084-18-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5084-192-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download