60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 23:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
Size

1.4MB
MD5

44efa3a431bf41835c2d9992e3de71a2
SHA1

6deddd6737d396088afc8263b699c75253033489
SHA256

60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a
SHA512

5c3b6a0bedc9776b2db427feacdc4f9fb3d3ec4cd9000ce100f19084161dc0d9c20a1480e540350f3bbbc24c6e5f4c04f6b3d8d056271a1ba201dd4722380aba
SSDEEP

12288:SaKnE5Tf/p0DudXezE09Si/ckGHt6pshsPSGkYl2XIQCb+Lk1TWbPXQnAN5L:XKn0TX2gXe4i7ojhsP5Lgrk1TWb4AN5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2172	alg.exe
2660	DiagnosticsHub.StandardCollector.Service.exe
3800	fxssvc.exe
1556	elevation_service.exe
2068	elevation_service.exe
4532	maintenanceservice.exe
5020	msdtc.exe
3648	OSE.EXE
1148	PerceptionSimulationService.exe
2672	perfhost.exe
3604	locator.exe
4648	SensorDataService.exe
3812	snmptrap.exe
424	spectrum.exe
4628	ssh-agent.exe
3600	TieringEngineService.exe
4020	AgentService.exe
4316	vds.exe
1224	vssvc.exe
1092	wbengine.exe
3800	WmiApSrv.exe
384	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b232774ec3a5208d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\System32\alg.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\locator.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d9ec9b5d9abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf9664b6d9abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a3f89b5d9abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f0d5bb6d9abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040596cb8d9abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0fa47b6d9abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0206eb6d9abda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002152e8b8d9abda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2660	DiagnosticsHub.StandardCollector.Service.exe
2660	DiagnosticsHub.StandardCollector.Service.exe
2660	DiagnosticsHub.StandardCollector.Service.exe
2660	DiagnosticsHub.StandardCollector.Service.exe
2660	DiagnosticsHub.StandardCollector.Service.exe
2660	DiagnosticsHub.StandardCollector.Service.exe
2660	DiagnosticsHub.StandardCollector.Service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe
1556	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3316	60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
Token: SeAuditPrivilege	3800	fxssvc.exe
Token: SeRestorePrivilege	3600	TieringEngineService.exe
Token: SeManageVolumePrivilege	3600	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4020	AgentService.exe
Token: SeBackupPrivilege	1224	vssvc.exe
Token: SeRestorePrivilege	1224	vssvc.exe
Token: SeAuditPrivilege	1224	vssvc.exe
Token: SeBackupPrivilege	1092	wbengine.exe
Token: SeRestorePrivilege	1092	wbengine.exe
Token: SeSecurityPrivilege	1092	wbengine.exe
Token: 33	384	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	384	SearchIndexer.exe
Token: SeDebugPrivilege	2660	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	1556	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 384 wrote to memory of 5688	384	SearchIndexer.exe	117
PID 384 wrote to memory of 5688	384	SearchIndexer.exe	117
PID 384 wrote to memory of 5716	384	SearchIndexer.exe	118
PID 384 wrote to memory of 5716	384	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe
"C:\Users\Admin\AppData\Local\Temp\60cc5d3d31360a77f4233d40dfca94164f3195db5901d7ee8db9092b6b5c338a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3316

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2172

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2068

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5020

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4648

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3812

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:424

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1224

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5688
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3884,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:8
1⤵
PID:5556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
4a14347827b44bb8f71049ec1ee986e8

SHA1
8962a31998a20f6d4029ebc0932c8ebf71c0a736

SHA256
2b9970c1a0f70c2ceaeba2374e762883562c55d8f8b0536f8ea9d7ecb65cafbc

SHA512
e4a78f0b79a8fe25431c4b6302c79d573a85089a670a3d651796b2e508c6345d3cb1bbbac60aef6926ca7b35498c6aa74b031d50fb057b1408eeff8c29438fd7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e9efd2762a4e08e1d2273b77a9175e6c

SHA1
dcd0b6fc7940d60e497be651a783eb984e6dde9b

SHA256
fdd27a29dee1d377750ec3c791f65bf1255adc8a2e544484da0e53b73dcd02c0

SHA512
a814c86de3488545cc007a7990972bfba5cd5ee3e11270e3dc10c2ad8fe95aab5677084eb4be02e5fca2cad64d02be8060fabf04b470976dfd59eaf7391cd466

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
824a5b03b0621699a28c9ef10c74bbe9

SHA1
385c4ebaad10d64d18696f90cad6bb253bac5f47

SHA256
a77f11ab2fc5a99c0970955b58f94228062d7d1bd521c9223198942b4e65e103

SHA512
1be6b92477bfdfd4c65bd84dc3e66e50c312ea6cdb70ce2d9f9c0578e1bcb9e648027fdec6d4720ef5b65bd5555968238bfc589f6ce704d28c29575a9a4dfb0c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
49d5f0637e6fdf0952b1073b9c77946c

SHA1
6786a7716bc734de6b184f990dedc5facd03d183

SHA256
9b1b16d873f3fc65841301cfa12f9c524f645578821ed73b42324b34b0115692

SHA512
18f270280f0ffce978fb1be9a86b5e58574ca9d2baeac226ba1bbbfcc12eb66c1d9851a1e8bd57db174dc8c2b12433ff819f062f7b95c8367e859efd77e129d8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0ce48ae19821a61cae21736f201d52fe

SHA1
2243d9aed79651e2bac71c6fe6d7410df940e752

SHA256
eb140761e327620b1837c618d3297e94ca04d991cdf28600aa9537d984dc93ab

SHA512
dba19d2e21d57625151d7f3812090a3638bd5fe2bd09a66369e87cccb7647a2422e9a88e23948a2bed57a7fd0e02d41fc38a22a4da6fde7ed01da308137c2272

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
31bc157be086e15892d216e966cdae11

SHA1
f60a1e8abb951c4c209925df97183b967802d7b0

SHA256
b58b3ad7c2bf57a996a6803a30c4baa10f4453223a78bf2ed7ab92b676201396

SHA512
e0224981eae87a9622b5b865d6a5406b6dbdce100329567cfb2924b96babb80242f30f1210f82dc7d633b798aa8bea451669f09db75fca85e5761567a65f2618

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b392711450bcef6b13e032ceadd272db

SHA1
6dd0ec08662ceafe092ace200ccbf1a0ad2eb563

SHA256
146912046f851e9b22eed99f126c1f257949ee7729871c6e417194300fb778cb

SHA512
45781f9e1c2a6d701a2528a27af91265b1350c672aa2a4c5d233ea9023cba239673b0b48014393637c9bd75e1b6c09b16fbc84508023f07c9231df95fd168925

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6d8f90bb5d12a5f03e718347832f3dcf

SHA1
6cebb4b7d60a869fe831e1b944fd0cc32831ac80

SHA256
dfd3a7dd45b31300aa3f48bc5c9175dc92baef105e6fec8d7d802a92351648ac

SHA512
ff18811e9072fb91ba56afc18056ee31075aa8f11914bfae9d1f462cc43893f1a3a1b6075f94cb43750ca64b5c76d8fb10577c7e1d6cf743b75c60eb3bce31a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
cfd19f8977772055214050f8d56f3f33

SHA1
364c2c36a5c46da400343ddadb2f9ffb1469f347

SHA256
e053f8e54b5ed846d5cfe14a53434f17588d44cf5b5a08031bece356a1fa9dde

SHA512
a42773a6783ccfd464b4b4c5ee24f4bd599506d1ee63ef4ce6fe642a1cb8a8f800eeb13c4321240ae179a969eacfd41dfff98be3359ec236bb4154f38cffbf24

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7ee5cbd2fb2fab5b042ef8f31437ae34

SHA1
92adf552b594174daa650baa0df177573c690a7c

SHA256
bfb2ee6f5719174e8a5ec428053fc05d0c0cf557229e81dd8f4936f7e27b1ebd

SHA512
2b349fc2bb2f3384ca99ce2cb502bf2eb71292a1510d5ed806722fb461b250bf4265ddab5b0bd4c61aed8b2a088b46329578bc614957e3ad02cd6ec5ab89aa55

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e334c2a516be12ff76d84d976eac11ce

SHA1
34ccbd717ac0f189484b46ba789e8621ec537a51

SHA256
90eee329f3199f7fecfd2e53800948791cb598a328530270d717e3ce47370bec

SHA512
f3ceead2d636ce8b04e72ee7e514f4b18c79730bfacb11962344423d135e372757f160651e5288b0b461eb1dbbd982771dcceb0e4cc4f00bd0e3be4f0562e207

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8ccb3047b115f6e31ca808886904d17f

SHA1
9fee8aaaee4fbebc573423f3cd76cde6e698cdcd

SHA256
2739a0c44a1f070df16250d94817b037a6161fd3d137859da53b56265fe1ecb0

SHA512
0e54e44f098ff487b1272dea79b5ce958d5ca64f0cd8e263fd3ff4aaad0914b8de05f4f564ed8bc903a204f3a547165ddaf0abf4ed539abfa202cba579416a05

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
f537b586377312c18d437740dfbec6a8

SHA1
9b0212351fb5b8b08897213dc5ba953c26741002

SHA256
db67c146d70e0d600758d2caa19e3ae4fa12a8548a0d511b7d441cfa0cfd7625

SHA512
b03e54b2d89e93085b0519642e59a61755fae4e0cd4cdcf75b651957c0538f20e3b08308ab7091f30a53ec3e44a3cdfd8fcbc346d513b309c9a7c5297933d7cc

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
6f55bb854deeed528be91e9ca9c66d2e

SHA1
820c7bb9464b98bef27fe4eb1e933b982d0a097e

SHA256
bac9b838cd1ad20414c9383874e0543f57c3110267ba94935a259b64439cbd91

SHA512
10cce6c592ccbdede777ccb3328fdbfc375717ff0dd68a44657660258109bce440f59b90c20e619833dfe2f4f646a011e48a2b67a9d18ff26bbdb601735736a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
638466a05d8ac2b2e66d6cbc915f1d19

SHA1
4d908051aa14995e60ec0d7fa4e7d307fc1be1eb

SHA256
1cf3c2de2f7313d3eb5fef0af64583e5c1c379ba2f9e90b87ce34afea6ff835c

SHA512
fd09deae2b8769b4d3b632383f83384995266847c074eff4bc6a7ddedcfc92aac6886e9b0de614a4fe1ee526d206bd5ff9a899a54639dda8c8504ee130303b6b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
96626f51dacaad06d5d313bb5c0414ac

SHA1
287048db195c2534277cbb68966e7a6de70ce1df

SHA256
ce3ca289248b8d7be71722605c5e10ee32ff5f7e99ff76954abada7dbfdaa9e9

SHA512
61828bfa251e982ef2097a31dd201262bbd2d5e41d5eb79c6a07d882fc49e7bc23d86e924f4a9079da4066c1d4dd9625b4c8b963ffe2a97113e0e60aa3f12d77

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5bd4ebbe4bc219b512871d89f05ce651

SHA1
e8561a761f8aec87399af6422ae4b5d2cb8ebc27

SHA256
e6def20a90f31ecf1ecd34c6ca4cfa5c75ef09c2dcf3b5679ff28e021081d969

SHA512
d616f87e69abf0823fcb2e9809ab2bee4b49ab35106bdd31ae4a939bef666bbd583a2a10d9430d5416dff9d39a5d363e670a8cabd18d4ef386edfcd220f17208

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
6014dabc263c3b5fb03bac5753ea07ae

SHA1
ba030830dcf5370774a4837c3d948613679cfbd1

SHA256
408737767c11b98c948a5db6eefa4aab30a91b5b57daed9be40db3eddc9d175d

SHA512
6398dd3254104ae311789c88ae2971ab83654e1221d77722280a54e1e4b1df82064ada5e5419ae500cb3bb428c5398b2cf58d65d2ce7c5b41f78ffdb42d7c877

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f5040ac3f56001e14eebbc71538ed612

SHA1
69040f9771727b21ea0eb8fcc580755ce0e1f3e0

SHA256
e4b03b6eb15def1ab1af990eff5fa145ea0f521335628cf4c5785e59c929f4a6

SHA512
2c431be74b8db0fa7e7989a48ec0cd7fc30f4ef861389a8920f374952442af591107897a1c345329bcbc6c1231d8da16af8aa76e62669a7227e3fbedfb406791

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1087654016e23d1f2063dab15964bb07

SHA1
b5339eb360a1c2ed00473f78d69a1e9b51844d32

SHA256
b484dfcc0ddf35eb370bd9942137f09cfdfc8cbe418c0b561e62704380afe9d0

SHA512
83ab3cb001543cbdc6e913b3e6d8701b81678fc45a47f3c28a5656dd6cfdeab891d36e4f0c2688e7c80b97b52a74287f8b1acfa3fae492ad63afcf6e6e5cb25b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c6615bfd6025f12a569a6879de124b1c

SHA1
5705703dda95db47bf9639f72caaccd2214fe6d2

SHA256
8ae0c02f2a76b1e445449e654b7112f0e51982731b5b6b3b1f816a3986ee1f1e

SHA512
85d6e3e92ad55c8e26b625cb5960c5ab492c4f7423ad518ff4922eafd68290401ec24743b1150e9481035c9e5f8eb70606682593944a7930dd12389bf57798b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
df81e0b441361013712dc3c8d820202c

SHA1
e93821d4fc2a32bf11b48acfbf466787c67682bf

SHA256
035328978fe0ae2dbc07777864b18e7282d75e514b38b23e40c71904c73593fe

SHA512
a758fec033c629bba060d133fb6a4c2ae03afa667476c845a7922281ac794a23b3df87fbf81a8bfc7b42cf82a871fd14489a2e47962da5262a077c7747f45a92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5ae3759a4a2f7132592c5f2e674d31d4

SHA1
cd2ed5d022181ffe7ab8e25c192f087a5db0ee84

SHA256
14b60dad7365765aa1027b50ce98e7de52a9dccf5aaacddae7f617ac63f6c223

SHA512
fcd9edca20af63eb992d6867d1e97bf46dbe639c1b4fe46ca2c10ac337eee03f4583b344f6c4f3a3b4c51859cef50359cde1de31513aba46a0f9b7fb82a9e0f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
93098a0e26053fef2dafcc0fe8022e89

SHA1
db5a16227583aba13b48f93e892c06b344457a79

SHA256
e0f82fc5bb5dc19e0f26380c1e3971a7b15b3d5a5aa795d45606081e678d8c1f

SHA512
67a945d80d28b8c6a3fbbaf0f2109f66eb300c71c7c8a70c195aa213cefe7e9c8131aaddd42876eddb3eb20eb3f4e80321c531eaca9165adaf438234d1996edc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
1f62c5d4d50333c82f0b302f293d63b8

SHA1
4ccf941a95c0fd94cfb04ecfbf8866aa218b18cc

SHA256
bb3b01c9effb190c0212e897d418edea755c78b85f0dcc657b081130d5a395ae

SHA512
d70c53d19a2c7f3c61616ab308d170940612e629b47af80087370a075b92cea504a41c3399e8a6fa9854843978761136ad5d988d733108d7f15e857f4135c57f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
cd815226fe5b3cffa674563890a1f8e2

SHA1
f3a4479cceb839d29a8c46ad5942c06a339108bd

SHA256
58b505c226851df0e65e438380941f89683859722f718c324083548c0d4860b0

SHA512
318419fbcf67f4796d0ae29d6ad59598cb269d72cd08554fec1bc3fc13ed65074555b90f1724773a5b9c53964bc79778f1d706e43d385011d1f1f498c3b1e0ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
44ec34603b726c8d079bda9e8db07f0d

SHA1
2eb72ada8bf33c305b5a63184efcaaaba42d07f2

SHA256
18e43004dcfc54a6ad0a36739136952c12208fec71a10a2bb1331e816c5d7065

SHA512
87b7f1d45685fcc9cac88a851561ca592e9deef63916acfb5119d8e59ab61b394b41f74f4945d1921db86fbfd5827bea94c423d732e8fbc6addfce6ad1d0d4fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
c5edbdf90cca88e9a23f4b8c7b320a53

SHA1
8a014b0f17570352078541db2b587f94e3f99331

SHA256
af76606d29627eb3806f193d722831777a871f812e3364923eb95e9168dd9178

SHA512
da631e80afe7cc66257bcf43c76a493ca58f316b7bb61b6f8bc887d2a3fd7e64e5725baabe11a42a787d53532c0b6618b8d83b1c1b55cfe3dc3e54f2da04c38c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c7cbf3d7d79b867994cad0a5c853c379

SHA1
8aaade35e10729958982feb06b041ae9bb28c995

SHA256
0fc5bb1561dc569ca827f277dabb2ee379dd11de8391f2c37991c9050a82fe08

SHA512
6d7fe7e3b486582d56b3ecd9af72150310aae1c91363c1e839591eaa504a6c2228cab6cff852d91bf8b4a712d2da45b295566136f33eb701588f5976033aa767

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ad889bf34ad77db4cde7c38b99b851ae

SHA1
ad68897fcd828b008c8ab622e70f1879381871c5

SHA256
3d61f468a23a4e610d340862204252471a99f316bad79fc6757834e137f067a5

SHA512
c16fd2b6904727507f2ac289a41847b05630dac3f135e13fb0c12b778123c51ec319943a6bec63955d2b72e8cf90464aa3730f8e0eba5dd99cb19064bdd4e4a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
cd061ad482edf737b28b1d65b6b2f9bb

SHA1
524891e483e8febe0c2ff5663ac6acfc7fd9231d

SHA256
b329ff890bee1d867f2bd076cff35f0975e3d2b164f3111ceaf62c510b86a17c

SHA512
1681f271061735c38080151cc588a51fb5ceaa56ad7ceed126637a4a19b335e99844a143f12dec5697e824285d67f5afb3d673973bbd72759bcae990f9191d1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b2d6808e8589ad959e8b88664db0fd3c

SHA1
82b89e55063c8727f8d549fe8b61f5e52dd93f5c

SHA256
ab39531ddd3833c2e784b42cc897f119ddc2560d6c83682b4556da5f89057427

SHA512
12d95c6ba35feded9012be0a40fd21226704d9c7ea88eb122fde6ab11798c78a689c83f3890153352d1088f8f1aa793ac230dd780b243294325e4c87187af295

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9746dabfa0a93df0f364003896066777

SHA1
9ee99cb3475a35d598794d0cda11ce7a2546658e

SHA256
3989c6a10578b0be11770e2272b95f70eca0e74949dc6941de24bbfa74fb164d

SHA512
77309ff324297c926650db276e8b4027d92ecb5e279d0ad80a88bb905f574bcd528b5cb95ba1ab645e075db1fe3b3e645b95bc9614f00e1d36afc54f45d69469

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
e183a10925475934106cae6014cdd533

SHA1
599f28dd7d075e9b720885d43e06ecb7633b3ab4

SHA256
7701f326c816b5812c4a48ec4e6c3b196898d4e5a5930a9efa81d882b581bb5c

SHA512
9087abd7fca52233a3371d56e04338169f6a6930aded725bf5e8f66434fc5fbc8c8f1e2db7257b57a697021109460b5db10430aac08006422f4bbd4aade1eec3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
d93b2371ab433b26ced513154c42cebb

SHA1
9904c4c936b005ee51b60044dd605bdeb0247700

SHA256
f83c0ab1dddf60c281b55df279abd57ae6a919d52ea0e0c89e3792f733fbddb7

SHA512
0e64fc98c889a97378cdcda0a89242a5bed3027cb72678a43a66ff1b098dd1401e68009764ceee81134bdeb090aa2f2ca7df6f3d93c4531d3698916616bc59d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
b47e2134fe6d765a4d7150751bd131d8

SHA1
5f9beecdfdef7710331e8b6c3ab48ad07133e797

SHA256
af86d518e66280a828c94df543c43eae37b04b1bfd7c9d2f6f7da48b95e7685e

SHA512
d40dc5563b7b6719e2b8b3706bfcbe0b5774838f16033983186e59420b4414490ea85ae065ce11d96327bd61349b1862b516165fc332b2ad068f8cfa028b7aa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
d4cf9584a7596fd1db7240bdf8bb586a

SHA1
12eae9008676afc83471e9f18892ecf906a0a352

SHA256
6505fd87a0b5007f08ce24b68aae1288f5ab5392121c61dfbc7d96f9c69572ca

SHA512
de0f8d014db5b79274bb19a61b197e422c755850594ad65929027db10cd54b6fd390d39e9c5f48a843017eb5231ecaaeda50e77d531bc53a5e9d7c3cb8e9f5c6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b1c04787df121fa8eae43ab9488b4e22

SHA1
460103fd14e648a65299c651eedd61a94251c4fb

SHA256
1358645035972b3a7e86d24bff2866a1906680063896a440d9cfb7c5e6856713

SHA512
1a77315706e48ef146c830987250ad32eb34ed0319a3b924223fc47ca4b17082fffeea43ad573ff3743e7d7e2a1c8b635dac02ff8489b513e59339b381569364

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
8bcc4659f225b0a4421dedce6992b800

SHA1
ef40fd6427df556a8a2108ca20f9459187623039

SHA256
5ef739e58ccac004982bd3d3c36c4dd9cee7514873af211ad9c366dfa4e25c62

SHA512
e31470ed7bc275c2df9915eec3a411a50e9b21bdea186d5ffa6a433073752474cd8b83335aaebad79a7a8661fa193683312024cf6d792801ddfa4c3a34db1b6c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
5220377bd8f27c94d5d00b1486210e18

SHA1
4f5ed882d0e1362693d9899317d2f65dc20c1003

SHA256
afed3499c704e03398da1e96114ff0ae1567ccc35b78eb64495424b499dbaf89

SHA512
913505c403734f1226ffd23dd2c3e620ae31b416a53d245fec01e95d61de802ffce48385177856d6ef8afef6b055af059a0684a855b1f99d664f956c4604afaa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
793dd05e1c04affa1bdc9d7c6c3c5bd5

SHA1
d10e935bd2fcbf64cb33495944a57c73aac57281

SHA256
2b29cbb8655e252262a91befab8e09e1707a052c253c4d1f11cb00b375a71aeb

SHA512
75ca73751e451f1b492684659614bc374af6164280f345a22c80950ba51171f4d2867fcb606bb310c739a497ad07a098b17b6d40f5d9aa1b2ccd95e4f4c61b6f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9c1db38c2a98239738314a852c337703

SHA1
ab4970c9219708641dec717ee6d8eef66e0b1e00

SHA256
939536980b4cf2e32d4a4b53c8cc476044b1aa663d581a4bf7a9eac171b0e984

SHA512
e4864d74f8806d88ef19cba533db76bb72cf8c9e254613b0156d1725c852cf2c3297b5cb88f3f9932da80df696227311f75c30f4f047cd7b417be336fe7b7482

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b81a871d786634e8bd7a2493746b0f72

SHA1
f3b433a34a3f1456aa6e28716a114eeb8cadaa3f

SHA256
704c386f26af4b613298d6f492d39841efcb8c68e1ac663927856d93a297c68d

SHA512
a9749f475ff2fd381b2057ace561a73ea335a3474c6af6cb6d19073c52a8a31ae938161cc04c7063201b5cabe5eccf77327415e3901805a4a82e55d781028871

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
839f396720b84264df24f9c86dd97acd

SHA1
e411cd65235f7031989b1529f2a0d183fc4f43a4

SHA256
0038015cd544a1a9d187a3df4211a5a4a5947e5d33c86cce5c8d9697f8499bd1

SHA512
04c8ac1e79e60f58e00d8488e20f7b933bda78ec985591af3813ebd29d24bf9b8538fd1f07ae6f467890a9c8376b483a9bf6f8d37e84e1983987548646a993c5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
4bba4547a328ec3938856af1efeb7792

SHA1
204c4e1a0eead66f8a938904fbb8a63195677299

SHA256
b9f758041b9908c8504a1eacd4f47fc8bef5e9934996aaeba6506abfbaea1deb

SHA512
9e02c85b1ef7092ff5e24266b710d69794caaa84da1f45d08d013ce397b018995075f3e41fdbd72e4f6dbe0085c31688ada012e2a03fc2eeca650a5017f6dbc8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
07a6880bf6776d9089e9edc9d54ded2a

SHA1
27a31de21224dd5843e85a57b82622398334d390

SHA256
b1c74f1794719ac78c837a141587428f834fef746368d66333eb70d533190a8d

SHA512
5a139f9b230213285d911070ad96f07845e12cc860e9f207fa6a50edbb8a1d28affb9e0d6142ff254524db05cd1d7dded1ac752d0b437d27dcedc97ac40184e5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8a84fabcebef2f98fc35e546a371df6c

SHA1
eb0627c8aafa24dbbe315d5250c45816dc4ffa18

SHA256
64580e87f0025b066e3f8311b7730a02afce2ec440bc3c489fee4e7c30d5aac4

SHA512
4779422b2260f801a0f99e5a3ea70099517e57118810adebbf97e9ecd01f2267ab2edf26de17ec290d22e01f7baf634140d2155f9717ba136c1f48894ca982db

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a927a27c6395ea646455290cc2450b77

SHA1
68940a33d25b310051f8d9c6ea150d477030a324

SHA256
b8000df53fb902d84d5857f561622993900e85f02641ccff3e192e0d23a104ca

SHA512
4f442738d768c7b6d41b2fe1998ece189fad0d829a24d2d3961a7793fc92a325c5877fcaac01e10b51c8ac0d52a8016f21a45e39e33cba8486967e05f55a5b98

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
caac4e4f5f6e12121f4615fb00322090

SHA1
e5257c47544bff7ac479d713e79887748d6e1ed9

SHA256
19621351cdefe203c81fd874c6e91f602a42b9c5c68eee41325bf67cf4509dd9

SHA512
db9f0832b2f0b2a12b20d4d5805e0f75f5a9c8e463ec6e64a178df8629eb12c554bc8425a5ab33f128fe9d861fcb806ff30df5826f19a9e91643d3eab7006ead

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
abf4ab2d2d7142e6e73808441e6453d0

SHA1
ffb4e8696673ce4e276e47e87182891e676942bd

SHA256
5e34bff36475eddb9c8fb518ed087d83c0641fb256c315da1258d2698b98c29b

SHA512
7daeab79672f1536ff646c6ee322f2b0f75b0748ef40a45e78b48bce76c6d7a13d2ece5f719e47c58889018e94f4f5cdd6d8b68422bea7c63215e5ff4d148ee9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c8aff576bd5b8943d84e5288e99c5b86

SHA1
035d5c45ac5d354dc30365e5706cce62763c1533

SHA256
72a46417968eaab5ca29731226651b41b1696c26d84bd5a90a91727565ef4b3d

SHA512
cd06fbf1d47c222e9dfd7c0c4b1f7a36f0546934e0ea2c8935a3c79e6f97d918061929e14841545d2b2d3cd8f60b951fe087973a82669d2508f4038f05c1f1af

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
3e97d7a3f83028f6bab4020f2dd22b33

SHA1
74f3cee35447a4feafdb993b35e4a954fa015b76

SHA256
9fa3d970692a9eb384edee0eeffd2744ac8ec2e7086f9f72185dc52a9330911a

SHA512
ebe07c58a2dc07097d934355996ce098483f94aa3e88429d77dbbfaadf2eabe96c70096e427c7e14a46c2982cb19979d6c197792cbff9d096305675937f166ef

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
1d3a1ed40672819048fccd1878135dc4

SHA1
40d1c87e8119053d9241d5c8a29757c8a180edee

SHA256
30e870129b840f318a5254d84899ee428d749327e56b42adf52bd75f72ad1aaf

SHA512
6b764fb5991ee176200c2b63a50ae37d905a516bb1c098b5208a543ab3674ad4813c0609dafe5ca651bf2b49874e90550d660290128d03622b068bfa2b000113

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3519463f675ff0b7ae0da24c154a0d8b

SHA1
0a9e847cd39fb9c644325fbff278793a072a2f9e

SHA256
1f95168e5584c23c8631ac5f41ced30c05444f066c1e1fe491bf44d896ee3684

SHA512
3a0411754e5d64ebf5246d552e5c101f00ea5516a1f5868ef7a54523a097e5553c15410bc3847fa20590af95881af84787038c0bb11515836c2b372323ad79a8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5738461f0c3f3a11572e6c5e8e14d21d

SHA1
83059f17edccacabb6a46e5c20e7a28c479474b1

SHA256
664847be47c330fdf57d7c1f16dcd68a625c031fb16025f02287f04ee0b50763

SHA512
32038147c60890fbcdb3a0315c68aa56b621b7f1e634deab9b8e44b2cfc038b738b9cee7f0b7a849cca777ae4a81ae8714755c222d90d782355ffb31da78c0da

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d0b8bf5ded15d8fe48845412dca7dfc4

SHA1
78bff1b5ef2cc24c553cf6bf6593ec2f66dee5bf

SHA256
19c86fba80bce17d150628fb1ff85269031b412b4499a0f13e1e9e7896086a14

SHA512
a17136cca9462ec821e81aea8d8b5873eaa9cfefda770eef299617a732a7056f7cfacedb3efefd603a6ee127d8a67f7bb6bb02a4bef5e41d4c40222bb330eb77

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
cf1caefbd94ade6dd5734b6dc33f485a

SHA1
bea09a8245f3551050ef0cf9f0418c3130eeebf1

SHA256
05ea21779bb98abe90444382b379ed962385ea86d8187ee16d77d376695b3167

SHA512
c5b843659c338a734e2beab9a71f12e8f07eff45da3fab76e94b5d6a4e3d9d556b005d01b9d9f25afc49fea2a0e18213f72af4902aba00becb76d8f80efbe4cd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6c5402820cbc9dfd8251c6743cc7033e

SHA1
2077c54ff45ea30dfac29645a021298a867cb905

SHA256
d752bc5272fe4ebee37476735fa44694a7b4215a572d9e28bd64c6b5c83ef9e4

SHA512
d48b252fb09fc42d248913782cd854a6bd25f979da0d8f7fc8d2d9bf1d605d953d27129bbbfabd5924b7252496784a29a0696e6f24f6cf7630641595d08c73ef

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
907591a089d440ecc92c756c2e17dc09

SHA1
961f9675a3a83a72b1a9021de438d79594aeb33a

SHA256
0474839779d4f94bb845171052e8d9490c75ea15112c68f6a5981373ce6dae7d

SHA512
d9cfdecff002ffd8b7e74c91fdbccf7ab003b8b11b2769b7cf6bbcc087eff469c854138e8cce039066c941990ff0e8706e154528334d57596d1a75600de7ffe2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
beea07d644a089ab7b8450b36a8ac9b6

SHA1
a7274e53e3aa03b7c32a22c5a3aca3687f449617

SHA256
a1a468a15fbdf3daca1fe271b9a6de318c965e5ff309bd63f7d881bda5bf4d73

SHA512
0bfb8606d625d0dabf72a21eb42fc6dceee90d7a7c496187298c2a2f82fbcb9426b2594a9488d8e17e418bb4ba4a7c50aa518d1c23b91ced775cbc577e5b09d6

Download Submit
memory/384-235-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/384-477-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/424-162-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1092-226-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1148-91-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/1148-154-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1148-85-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/1224-224-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1224-475-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1556-39-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1556-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1556-473-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1556-33-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/2068-53-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2068-50-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2068-474-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/2068-44-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2172-15-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2172-469-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2660-17-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2660-18-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2660-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2660-470-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2672-156-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2672-95-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/2672-100-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/3316-351-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/3316-9-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3316-8-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/3316-410-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3316-0-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3316-414-0x0000000140000000-0x000000014020B000-memory.dmp

Filesize
2.0MB

Download
memory/3600-197-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3604-157-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3648-151-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3648-72-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3648-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3800-233-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3800-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3800-476-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3800-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3812-161-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4020-135-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4316-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-67-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4532-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4532-65-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4532-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4628-195-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4648-452-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4648-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5020-150-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download