e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
Size

648KB
MD5

15079aebdfb2ca1cf46a9a83a9d7aeca
SHA1

40d385606ef5c0ae012ceabb5295c106061054ca
SHA256

e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade
SHA512

8b65c2006767fec446a71f4e8889108460533ac8ca3a640b8b291665586ab36e1ded81a99efc78642ac722dd04707f49ee11e9ff003f31fbe05fe1fce1596be5
SSDEEP

12288:Nqz2DWUyF9yrc2CTPL5gpQhOKHbHedZxkryD+cZQ/njhmEiOhS0s0Blx:Az2DW/DscnTL5g4rTeP0j/Viwlx

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2604	alg.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
3512	fxssvc.exe
3320	elevation_service.exe
1944	elevation_service.exe
3100	maintenanceservice.exe
1956	msdtc.exe
5036	OSE.EXE
2080	PerceptionSimulationService.exe
1772	perfhost.exe
1348	locator.exe
4240	SensorDataService.exe
3584	snmptrap.exe
2304	spectrum.exe
2840	ssh-agent.exe
1464	TieringEngineService.exe
3200	AgentService.exe
1552	vds.exe
3180	vssvc.exe
2592	wbengine.exe
1652	WmiApSrv.exe
1292	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\System32\vds.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\dfdb4e76c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\locator.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\java.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008796fdfbe9c5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073cc93fce9c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a6e15fce9c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ceedf7fce9c5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dd1bdfde9c5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f48af5fce9c5da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
1856	DiagnosticsHub.StandardCollector.Service.exe
3320	elevation_service.exe
3320	elevation_service.exe
3320	elevation_service.exe
3320	elevation_service.exe
3320	elevation_service.exe
3320	elevation_service.exe
3320	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2036	e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
Token: SeAuditPrivilege	3512	fxssvc.exe
Token: SeRestorePrivilege	1464	TieringEngineService.exe
Token: SeManageVolumePrivilege	1464	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3200	AgentService.exe
Token: SeBackupPrivilege	3180	vssvc.exe
Token: SeRestorePrivilege	3180	vssvc.exe
Token: SeAuditPrivilege	3180	vssvc.exe
Token: SeBackupPrivilege	2592	wbengine.exe
Token: SeRestorePrivilege	2592	wbengine.exe
Token: SeSecurityPrivilege	2592	wbengine.exe
Token: 33	1292	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1292	SearchIndexer.exe
Token: SeDebugPrivilege	1856	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3320	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1292 wrote to memory of 4412	1292	SearchIndexer.exe	107
PID 1292 wrote to memory of 4412	1292	SearchIndexer.exe	107
PID 1292 wrote to memory of 1796	1292	SearchIndexer.exe	108
PID 1292 wrote to memory of 1796	1292	SearchIndexer.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe
"C:\Users\Admin\AppData\Local\Temp\e2d4efa5467a40bccb06f9bfa70016db48964b25a5f84aed85bbff040e78cade.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4560

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3512

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1944

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3100

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1956

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5036

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1772

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1348

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4240

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2304

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2840

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3876

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4412
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
60853e671a6faaeb2816025103845fbc

SHA1
f712dbc3cc6ca6d626687f77751c46b89db5e2b0

SHA256
a5a93bd1ba9a0d08fb396706c6c38790dc5baf36e26eda9a9688ce5621e94fb9

SHA512
ef5fd46dccd57fb0bf02bb1a221a42b0811a292f6e629554cd4d46b08d501a63af738cb697f81b7332fa98bf5508a849065892e9e83f769183ef73328d4ba002

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b3f80d635f441f56de33f24600fb793f

SHA1
ec428ca5ce765df4a8815b732b7fe075e9dbd67f

SHA256
d738d86ca9807352254fe7d5c9b8d539006aea22e717912f071e3cc36baf2ccb

SHA512
45296c5977dc6859b4d12edddd40fe188920e3210906d0c245a0d29623605b62307b7faf2e043f1ad500094fcc30cf96dff4eee528d74ce34b99a11b2d94a949

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c210af175c4aeb7ba9a305d5d2282a7f

SHA1
610b62d6e4f380b89c2027f4c4cec1ceebfd15d8

SHA256
2998c8b9f1347557b8b406bc3ce9c8c2591e321d7acbbe551fd74b7a384776e7

SHA512
769609c97c708596b8cc25fdb08ac3da197ed905f6b259196f6e63ebdbf2352528244bac9e5bbd89605067c1231b990331754e6c957953d8fbfedec139f8d3bd

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5449bfa9bb23f0c35107773c85c43588

SHA1
7946a304c0a051901b17f870846b7421f15734f1

SHA256
2f0e002d6b23ba3b855a9e6b2da8a37bf4460fcd17a58d9bf647d35c95365a53

SHA512
3b3680de4bd3c5d157117411fef48a412824752a3d712f4c14b679bc4ef9dd9f66807c908f15a853fcdcd6ca4479394b7f09c11205360263f54b2cc17dafbfb3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
bbe6cd13a73cea39ce72233c4c4b9d38

SHA1
72af99da3acf8cce8d381871e871adb007c71f94

SHA256
b9190783326620f143612c0722feb34287a8e214034e1394c51bf2b3e5326968

SHA512
81f0a199d6944e5e96648067b4e16f4b9d65b11613894cfafa6337e08b89ec6699fa1cc41c91d67eef65d24973c051629b6e545db67ec80a32cb5ab870adc2b3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
95b981a097419be54a79d646d0ba799e

SHA1
f00a145a6e131301e1ec60364d437b77084fedc8

SHA256
a851cf13ff392acc34c28cccb98538a189dc5de3a8d111eae0ce20a7414b75be

SHA512
ccb159d4d23a00dd76306d8aa26fa20553eecdf380b533f83bc18f5bd7209c61401f1cd4f677077dd1f59257529ee1617e0d7dca9fb759b92a1efcd3b282aaee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bafc1c4902f466b383adb1efc65cf0ee

SHA1
d1a7f1d95852f261c1b0ec7a2199467e349e94e4

SHA256
63fc5a4ff285022212b376522d723f6c93dc28f60491f042882e7c0072980603

SHA512
224cff954b9b802421a48f61e1241a8d2bc51b4c9dc5e43852a3fba0f69139bfeece2ff3929e10ff755cc08f0993018a6b2e3351fa56e5079336d4bf1e73b0e7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
626321563a0c35b004eaecdccefbbd31

SHA1
f4b82eb7ec8132f7a0eff14327ec36292e043cc2

SHA256
a3e6f9be531a9220410091f4d0998b2d769f09a9b716fd23586996d70840ee7a

SHA512
593b5ef94e25af82ca73cdffe9bb5c14a5f91a9deda342fabf9db3dcbf72b3bfb2e446e08343260a924baf1f43023a336bd8e33f68d16c2a00ed06e36686589d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
25c0f6652556ac979d0a6c23c4e65c50

SHA1
9dac7257c67034283d7defc4ab4aed91042bb8c1

SHA256
16b1495dd6b5092161ef392a88ef2aeffced0a305e7ff4f9a0da054d4d0ca913

SHA512
7789f737d93a2c3aee1aef0b5d321d4e3c3f40b1182dc425b99c9d4a72c51a37ea4e145427521bf4f6ce46a7e15f81e2f626ecc9ddc46d2f7a458284948913c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f41766ab2e86749337de27c789deeb02

SHA1
91052c8166104003b8f5928f2158986b070c6f95

SHA256
3f93753abf14ee25e405f7b50ea8d31817785094ba5b12ae4c9172824502a599

SHA512
682d703ea66568e7f1456b3fa30a0483daa24d3f5b40f787e19e83827f82367594056dd782fcda1b725135b043dff4adaedd644d42a510fb26d163ef85d37009

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cec8d1d7c025459665efbc8eb2226b0e

SHA1
df9ae5e55499d179a428a8c816f3079adb5fa156

SHA256
bdaf478116dda4ca503914f2b2d01701b237fe70ebfeee6fc62df2b1fe34fcd7

SHA512
dbe525beebdc5ab223b78ceb8cdb5081af990659a8207ad8f290ca4270401a8ccbfa9aa246d0e6d8cdff5ead84eb538812ae55e9502afa6a1aaa86021cfd693d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fb5eb59f524cccd2176c26d2a6ecb738

SHA1
5c768d1b7eba6892d963028d93a97acf747362f0

SHA256
c8c476b9ee831e78bcadd4959fc691e633fcb7e93741c9d94e5331ac7c836f84

SHA512
651a56ff7cbe80086988ff8a01e56fe4e1346be5d6a0bda1ff5ec2c457fa624e8ba55a254bbcdbd8227d3432e3663304b31053638f9df6b5691b9385c73e6005

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
80693801f83581e84bab3f51b09f99d9

SHA1
2a1e4ba1cdc473d744607d9eb701ac17e1ef9563

SHA256
c0f5290fbfe954df3c9f71d46f35a6fb81531bd36494b672554f1935c0473d87

SHA512
e242b40161480fbfc67cc2329a77511221000e2bcedb163a3b2e4ac11ef6925b3d6e967db99f126a8cf230573d912eae628906df516509ce3f88432583b815f1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6e2220c91cfd24f51e3c1b34a927e6cb

SHA1
a3223fa4cf5d02a9adfa85925183f24b3af2ec19

SHA256
e490e843a5150c4359f3183ef2f4df3c0436401df6bed75b4131522cd28019dc

SHA512
dc51589ff6a08898ce06325309e58085dc6a844c198902deb95de5fd704102f462b0499270f830d133e13b5d77dc43398c2c0ee54b3bdafc63cffd445c5770a3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f8880521893b36cd51fdd762dca468cf

SHA1
1a6ac14b3238c54788013c4878482ecebbbf2800

SHA256
63f107c2c2c2b5169889e89ac6010ae3b464544a2c3d5bcc508cad6a4bc3c814

SHA512
2d737284bf993178def2719eb23b830116616768262638aef2a5bba4182426e35c4aa59a5ebbbbfc2d3289d2aae5470ab31ef90b3a1807387c56d2a39cbf101f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3ea8844f9c705cdf4195541922ded62f

SHA1
fe126bbfc8efb1c334ab19122b146681edec6d5e

SHA256
6cf781cded43416b580271c57726030dd7b4377d4f8c31f665f79858c356b996

SHA512
3c7f7459777b44b7e7074c5a83a7ac8c6afd70b43d8d22b25f062eb4c8072852a78aaea4da7a088744e487373bb76f730a1af2450272d0615689411c54c65f65

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d013224ca3168a055d37a58e423d0244

SHA1
cae45b3ab0ca341a1422d1a6c8b38131d87a7701

SHA256
dc5a7b9ddac738d84fb3da0ee3e911d934de717ef08b5a49f22f2ad11b0cb4e8

SHA512
4b7dcedb3aa9dc41a2ca5236c7446832cf0014188c96de3f35848395b238b0747d8f1c84a735933976a51110ee4c55178a0ab877816b11ee45a754d994bb9d61

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8b8485bd6433caac557ca43546c34a17

SHA1
3b03f4dd835fb34e547a360216c396d4d6ec3b58

SHA256
a66a2e168ca133a22ee2748e773ba75587f324e231b617ab5b36ea448b14d00b

SHA512
850d1bc68d653159f05267a327e9ca55a244f8160f8afa9b6450b0066332a8badd0c11f5a543e236455a14ada6e8f411a6ba6ce5daed77f502191498a7859c75

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
992a91d48ff967f32479b10ccf5bf465

SHA1
193487911a53e5ce5c3207f4930b701971cea056

SHA256
3868d3b5e7f1bd9dba7e71c50caf02531f84bc25ab8957f79c2f1db8b283245b

SHA512
0df26c8c9d46e2afd86702ab7e31ff2d602afb38960de86e510e0f56a1bda75d806588303f2565c632ce71edb14a9b84fd0bc1b35de25f7f483c3e2cf3ccf9d4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
01cf74cd11b40736139c98c499d5b3d3

SHA1
dc41569715e86bfc8ace8fc28ad319877ff40cf9

SHA256
da5b231139da401fa03b1f8cdc00424811ed101fad693b4aa3eb87ecf1d43dd9

SHA512
27bd99768881a91866ff9df17a2db7ec489ff32f1203529e2b7fd19f2cba110f595a87c418dd5da6b804eef18a4f2ba6e0ed7c4bffe18dcc9f1cb226f2b3d2d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
94acd5d0181ddaa886ee78f2661f81af

SHA1
e9d8b401506e50fe0981b586c54d3eb981afc0cd

SHA256
3c66f107571ce03e1b63d6bef6bbb1eca1a6d7623c480908d87a483c79d9122d

SHA512
48f6fce045900d0065ea7e6dfdd415cd58c70c4712efdcda0474803c8bae4284b6e6acfaaf7a7885a20adfacbdd569a8b161ae85b3f4787ef34fc275f43ec2bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a4b42f4357a16521440cc0ba48624182

SHA1
29f50701f6bebea8ac2ae8389ad1050751fef5bd

SHA256
c8b373fa4fcab9a9bd9e3270739c7e9a74470105c2cdea5a7179c166c72c3cbc

SHA512
f25c8013b8252992c051c988ba94cdb62238c079ffac7d8ff5596baaed45865f63316f78d374fa9b7c6d05aae1509b6e461e8f47eb0a20859f5544a4e9022f3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
7d596a8cf017662d11b2bf8d815da7f9

SHA1
b75916fe09188c25a51f648ed3864abe50715f27

SHA256
20db988225f05da9d476e4b8846f506adbd3fc60f9436df0e49a260c28035e3c

SHA512
0ac6569aa5966bbe69f9ca9ec5d53c151fed080adfb7655eddd5c29b21594ffc06a96a6c47c7a4fcc75c51e2f8b8b9ea4e6b48bf9964160e23421f5672ab473e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1e215670103d2dbc1f6ca2fdd9d4e45c

SHA1
e72c2054839e8a88141842ead42f83a110ed3775

SHA256
a4ece97b3555238bb0412d846e6ab78f1e7610a4f3d87b989008a03a5ad694ef

SHA512
e5f023badadc038a226bd8760fffd950565c7895b0fac8a1687f0325d8b49816682bcf91f161bb5af5bc07416c6a17379cc291794d0531b7a9e6bc65ab29a856

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e983c6fe24c932e93dc60b20362c94ed

SHA1
8f84a18db7678608a268cdd5f02604c2ef420d98

SHA256
89f12f1b828d14165e04898b26760ecbc8b298f2004fb71d3be0b8888a8de571

SHA512
f0c2a36c88185494ed2915c66369387a38eec8d00ad85844ac5cb3896546915d80e4754b1bcb636f27e99edabf7821948835fd82b03c0c2e5b718f5c9a66aa3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
5792f1121a23e12b5f6ef5011a03beb2

SHA1
19251f8381aa08b3a7d720fe2f8b6e65d85a02e4

SHA256
37bbfa1b7f2aaa3907e4b414419786ed15836db74677f53c5e6628f3bad279f9

SHA512
81eae2e2140fa5c59c8350a6d475ef833a3e8ecf2d63df37bfc6baee11f4072783596ec5485014007715e817b0e73347e9e4b5aa51db812c0893fd663984d59c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5183d3f70dda0e30033aa47409a391e7

SHA1
836b504172ebf606263897c0bb5cc76a990a3d68

SHA256
f20f50fb5b30c859ed90db6e9081339de23f4beb036d8e18f0d8865e62a54b61

SHA512
35fd0c1bf71bdbdb7bec58b46d47193ed6376859ec28d85190da105608aac39719cc7f20d3256dc3afd5f9dd2edd3ed8bbc691ca4ad51fec5557aa75244e6637

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
7c7bcb0bb3a2e6cae6398bc2f2985509

SHA1
f6c027c9e627c89f8b99f927dc175088890ae2f2

SHA256
06bc4f31c949e6fad468f8d0c8584aef5a96c5fa69aea9d42435c4336fdf65fa

SHA512
548fefc87ea3778b61e0a471525eb24d9499cbf07c9aba0be6b213e5c18777be4bbc43f4a1c60826315de75e8179f4e29c40ac91e964b794a8332cea0faa448f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
662ddc473251b1ff6d1bb5c11f63f5f1

SHA1
755c42475c5059bf2aa5fe766db55a13e8300acb

SHA256
eeab4825d951b4da383ed1c493cef8ce6232eb1f644d9276289b06aba7bfe4e9

SHA512
a993f86d6fc4fec0b57dee35a5aafc2f54b8676ccef099692d0a2ca229c45b6fb14fa1fe7883c6cbb1c74f7efee35f65e3ea0393cef1add7e939f7a0f16241d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0a28f024486fd5a1c372185b10a642e3

SHA1
b8f45729af165900e78c9cfb6a716874082eb040

SHA256
caebea75f3381de54138b54402af1ef049918846a5b5d45670bed800e389290a

SHA512
dd9a7aaa0def8622bd2fd681d42986525020903be92e6ae0a83f7504ecf91b547403dda8f600f5ca868427f21576805d231119c4cdf7256ec1ce2f817f60b20c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4d557e5612fc91b4ce3fdf73b2d9e10d

SHA1
8bf79863c7d8b502bfe2c340c0800163bcb72d46

SHA256
a5df32cbc5564cd273938d9a2a077fb5c79d1ef23165200ff4f0fd1291b9589c

SHA512
a6900e62560f7cc3347538d1f5fb15f32ba5bcd888a62405f72537436b170afbf7bdff5494d4b7db9d3a40df226204ef4264adfd17f6dbb7da94cab1a0552ac7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2526454ad64a42e1d79c205ec6a09e9e

SHA1
0da922f15bee3b7c365f285d163766f407540e5f

SHA256
05b2cf880c394c7660db100eff9400858cfbd256a5841b2953a61912ba9cc2b6

SHA512
1f1bd568b27abaae64fca36bdb86e5d5c3a58d40fe3d8bac2331c5960b184e091561c07013e86ce436e5b10085651acf0ab43a3c39d93f397a2713c3213ab2a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
86410a5cad6f6f6c3ab922f7f838cc01

SHA1
7b2134f226e14742724ad4a07289b9e234bb3f66

SHA256
38b0d2ba61fb9cb400b0aba772e8e25f31400430debbcf3dc6327d58e112e453

SHA512
7a259632fdc72fdf739f72166cfe6f6a4194efd88bd6c84d6087bbcd28d83073926f7ce3f9d2c7c7fac1ec4a3cad301eac0dd88257bdb3ac5434de7c7bcc51a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b9184319b60c450e69b3841214d181ae

SHA1
b09a6313c7bf6e97646b3b15ce7a8834790107b9

SHA256
c91d2b7f290be57fe3eaea718b3956eaf3fc2fb4ddd8de4e8473cf16e53795e2

SHA512
6e878950a7ebe187777ec781ad6a23e1881a010d6bb13b95a18ee3ab9896ce6b93fc631a4f9124076f2c11a244aa80d2d0417a89479d4b297103ae4e24658e7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6c3504372365ddf9c3b32534f258b9ce

SHA1
759cd04c8cda5935d247a281423f1032dededa65

SHA256
9797e4003cbaf77161884439f76580bc35cd5c6d1901cc4433965f5dc49ad5f7

SHA512
1bcd9b3289df16063c448c315b97a435bd399f71a414d0a79c56220ef5d86f7a158e3ab48540f435c45e3ed4eb1d1bee7bd91d520b995d0d60e3770c1d1b40ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
db546a639ee9aed0fe11de5bfb97cf5b

SHA1
c8f2835223fb458ecaa73f57b88e29d7a4296bf1

SHA256
3008191667b214984928d5391441cedb69ce5d7b12170f0119885a56e81af309

SHA512
916b055d87a2a14552278d0f844ab66cdd26cf099b01665951d1d7704bd64b855812f82158128a24a704662bc0cafc3a47d7021045d33a2a118625da48f81ad6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
c233f1d2c259bc48fef9fcf84616b204

SHA1
5da79836d9bff7df02e03710bab42cab30890f2a

SHA256
c61773b8e70d842fa6f772f11d95adc0a4d93f686871bf6e7ff6c8eb19a6a00c

SHA512
24a0b851204604c6488351b85088f5adb776cc1b11f8ffa983a2934552870e1249f9adab8093455c27cc0d4ced1a137f300c30e7a6f414d184b0ad4dd5849231

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
960b3bb72a84553481ae55f145c2fad1

SHA1
8fbab232a825951260a13af484c7c8fec78c2fe3

SHA256
e005730909ec354e0c095139954fcf19eb7f10dbafb25112d47525d971565bcd

SHA512
dd93f5358620d2c45d017176af88d2689763552e8a63e475edd72d54024eeecbfc42e5c1514f58171a04dacb55ba692b4fd7c6b06bd417c68b8cfaa5fe574aea

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
25ae897a77721934654b63c22e2bbb41

SHA1
575e3ad6b6190da742ce79a5fd03cc551068ef76

SHA256
8a9edade71a848d2ad5297fd187ea226ac86d8f3f3be9ebdfdccc2f635bd3c18

SHA512
5be40642af880809efd10fd94dd5ebf34f6d2790e7cbb5d2f9702ae23e279da6e871f6004739589ba86da52da54bd431d6dc8ee3429f314a0240de486126a183

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
fca1069b311a02aced8cc01e4949efd1

SHA1
1cb9b74086ce85861fe16967639876c02b4e2396

SHA256
ef7c150bdc8f727e53e32cd25912160e9671a42c03b318a5284fb25b1970dd1b

SHA512
4bf30d11fa40ed0c10cf9112588090554be0601f1c90661a46133ee56b29b00a550ac7ca90c775331d7f2a03b7bb4b74fcc606b9e258359af7d8d9545eeb575e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
332e9602698fab962c7058fe02cf9202

SHA1
886def0c05eb3778ef4e76c8714168fb5733767e

SHA256
009b06a6577df7e981a6904bc625f336119c05d7afa4c754d13d3d49af3d3964

SHA512
18ce1a7b6ec0abd1e8e9925bf7458f41c48f5a5cbdcec8afdc25f3188f5a81a41b1a697ae698d38d91b44613b7fb4f0913207b1471892cfd22e2a3e06489f5a0

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b67a313e492861a936ed4d3a0570530d

SHA1
55dc11a432f5b073cd768c4d9e3126cc2563290d

SHA256
f4a8cdd61edadf70b5370e2fea6d57da81a35cc9fc44463fcc5288f2e873310f

SHA512
de37fe9e4f3be76a3dee679d7b66778169fbb81ded7588bfb0e80ff8e72fe43d21b0df5dd166756156eb98e40315d01e67a22e8d429e4407312ac07f0c0e9ece

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cf10d39a488b4c2f97a423e6bf8346b4

SHA1
b7cf0415d5d591437890b6fbcea332c01505fce5

SHA256
d2c93ef0113e1c83ad1ee91be4823d650362d4aa9eea06d7452b38a33e0d1e68

SHA512
04a20749c52dc2eefa746d533b13ca588509e03e195a6c260e0e713bf29486f1ccfbfeb2050e2fef348728632d02611fee4618f48303c85fea28038471a19ea3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d9535ef69a270277a0946e81aa05a59d

SHA1
95217dbe559b1455636a55af8093acff166ae957

SHA256
7c7a94cd69ed8f5fb9ce70012195b47db27836ebc6234ef16fec204a91335650

SHA512
e2a3ada9ae63d6c6b2c671a110739a9bb0b1b79d6dc6541067fc6136c171b8f0900752b464c28a4cb2d1270e1837c0308bdc00daf081d41b0b7fb82f479b4457

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
4a97cee172943300f260b88240d6ada3

SHA1
ae5dcabfa026bc9c4b9e5a86848658ee9b7f2eab

SHA256
f8c8c999379149c4f25e85f6057c7a65787d40ec02c2a8ee2cde70caa783eb0f

SHA512
65a64bedc1a2906b9bd029bb3ebfa08c9135b7ddd8667aaefd91bdc4b1d96883296248cf29353fef5fcb676ea657f5f8e6be6f4cda9836f2ff358214c0b75d54

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
54b32656bb902a60cd450f91b2efae10

SHA1
cdcf7e0f4d5fda6b05cd5512f29ebad523ef322f

SHA256
617ec62006c84bb02275a411d1d116fa1105fad252d11733fcf73c5d9c14d73b

SHA512
71c3748ae1c5937630ad99f71d9372523d4278cec6a1367c8035f59746f0c266c3eb865154f1e6b0c14d50f70ce4110ce81c96d10c9f61bb889235eaadc9d8eb

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
750d56bc86bbe4daca1b02b2abff057a

SHA1
83da36d184d06669bb44eeb6edd024f449f435f3

SHA256
818c7f9435b2f6929081e77160f155b40bb093e56005bc83348de5602d1d702f

SHA512
1608fa7d32b3dcb1813593aadca98e96b0fbc1270dddcbe8136d54c509e7f0ea47da1869a1b1d2dfe80d1ffc39be2cb4543895a215becb581d2ba0b88c2750f0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0c89922284a2954c0f7451ba93f6fa07

SHA1
2deb049fe2b344ec6f7d8df89ea4b1a4d720e925

SHA256
9e3a5d6ec5bdd40224344d7c2ce7963a68d580dbba2dd6eeefda75cd0cb42656

SHA512
64d0397f3de1a2ba56d052aa89da568930b5386b8ae9da29d0ac6d45588579049ccb895ec19e1e194f1129208db35d44ee0548f80e0b8526ca1bbcdf58132169

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1e8279a5d95d1d4d995f4c49108356fd

SHA1
c9221e2a6d2306652db9d93280c15c9ae9f05066

SHA256
13c599e250ca1dfae8360e3e6c8a8414409a3a3cff3c61c7acaac2edd25088c4

SHA512
4245a35ee1685790fe203d464f3d46ff3c48fa23f73ea8ba1eb4cc835b7a6f5db98163bb6ffbcfa1f19e0c89cbee846f55af0ecf9a760456fdb6596003b1dab4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
eaeffb8176cc6a1c088533143c401abd

SHA1
3a5e48e9473d9f1570e03f7e834868fe74e373d2

SHA256
35787c71f0de90483f881570f85ada3c76ca8fd41cd2a02fb45ca3908738449f

SHA512
516a5e867601c3e1bf447ec48aefb752eadaf72f236a994c8eb2ed0497402705b6225dab24042a0bdaf84a7fa464881f9c653eb7ba2e67cf67926ca8768c4388

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4ee8ef649250aaffeb2c611c4539678f

SHA1
0b35e3fbfb0e654fbdb9a652f7bc677fb2d84002

SHA256
7deeae880d2dd3e53ce3360205f9589dd990677414e23d7ac5a499e365cb612b

SHA512
a5406793462bf950dc9e2b44ed4a94d29ba2fca7484cb9264dec823fb35f51db19514cad23626f126234df190bdce4af403b3d67a35277c814b8106c54182ee2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b5b1cc3abc8cd290b4be3c355b24bc21

SHA1
b69027e2889dd5eb10af3ebe6db1713188bae585

SHA256
de4d5a592d2460e19bc9a9e2f8f9ac22fd132c3a6f45b8b5a15d13acd709a386

SHA512
3b9016277a0a689c330c5307a83c496c9c09c97a6ab69b632bbde7b24d87825fc304e6e4f127aefbea314fa6b18f2267fdbc2503ca3b73c0ce4f320857e3f04a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2d47b0c4032b0e26b1a77f48d53c6625

SHA1
c49107b22673510d9070a48db07c71966d5e9fde

SHA256
3f88776fd381bf802215f9c7626c2e8c8d8542dd8e6e41575fb581c038df6524

SHA512
715805521113c59b410f41e8547e669633096a4267277119d94875a0d6b3e26e6ae9880405d9c4ff42bbc559e4d3728fe17d81bab7a23c26ff55b565df8ee4af

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6f3e40082108a9f2128d4ea6a2de9f4f

SHA1
e9f119a22619f679b939e54f5894eec8d49ff988

SHA256
0595fbf55456dccea5ed8d87a8495073a3465e9a26a5984e2e42e931f9943431

SHA512
c48a493a0976427246e6ac7aa0b0f799ba24fab9d1d1f5826e325d03465939a01ed45a3e0b75c59faadf74869c483ffa642eee5c49eae4253ade2b03f138bf87

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ded2b28e33ba89f76ffddf564a4a0120

SHA1
62e903c03e5c90609468382b927fe37c493b42d3

SHA256
6dcbd7af5c70ae13efc41fe9335bce98593f89681cb3d14be6bcf2cd1046ccea

SHA512
851ab9d76f2ab9360609b5f7f626a87ce2dd5b4ccc04be5427627c9005f99fad7dcb82d1db6582da0b36511e68dd156b52e35bc58f1229b143ff89d9fe737491

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f0d1e63da881c0a339fb7cdb1cd7a4a4

SHA1
5afef30ce38b40052e4a8297336bab5ecfd64138

SHA256
56b6109f77b0e04a4192157f77f6a7ad4f7b77f11af3434b9b918072cd87ad6d

SHA512
900665d06509422ac18700d8e36057650c6cb07a27f9c8f00f46245a28b920ac8ce953e0a8432d73646e632cfb5bdf9fd0c3965f8373f03ea79e71212a75e117

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7a6ffb6e0c5c3fe5c5c61967f6b1480b

SHA1
a7c3dbd70b09e087c4403880ca0dab15f471265a

SHA256
e756220fefc3fe01372724675b21d65fd5a2701b2163b24eec97d7cb72cd508b

SHA512
d3c45a768352c97e7a0bc51c4ca437f0a85d3651dfdcc82fb3f1062bf95edc496edc0ba1d24febd033dd7e9e94c4d6ac604426285fa213e86fd6cf8a74e61e18

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4281da321614fa38000af5c7683098bb

SHA1
0cd59cc2dbfbbadb778fcaa8049c6f79539033e3

SHA256
51143bd79c308132b706c2514ec7d264539659258e04f9a508f76f6a9e2e0352

SHA512
7dc097e8c1543a1e55024571c9ead1cbeb0fa9f937f6c8d2d91115b09f4365e3309dfde9b3d19ea0101bb5dde911190899fa59db8bea5a6517ea286e6e0baacb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
73398b1bde5c15b1a92779b3507c2f2c

SHA1
c3656ddab7f04e84354b37dc38c9bc8c7270ecd9

SHA256
11736a4f0ff587e044bdb1d3b2a7235ddbc52445d6088adfc08e892c51f0a2db

SHA512
af509e3895e5c44c879951565996661a03090a9ad616ff825992e607be60bbcfeba7111be598dc82605258b42a4bca9975ef42eb485c254e6e053acca35e062d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
47924f53bc3dd7f0b93124903e0de76c

SHA1
97ea35f775432bf4436b8ad1ea7b949c8d6b3a7d

SHA256
421fe74c4c24a7cb3c6026479ec95ebe28fe3e6de8b1efea842c8a2575965d5e

SHA512
2a1753463d552e9e6f62bc32de26438c11c91a6141335fcaf3b840947f6cbafa17e8c3cbc7a010d1d03ca1eb21584cd7bc54d48c1663487c5c751f9705f5e1a9

Download Submit
memory/1292-164-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1292-516-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1348-112-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1464-149-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1552-150-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1552-510-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1652-161-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1652-515-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1772-100-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/1772-95-0x00000000006A0000-0x0000000000706000-memory.dmp

Filesize
408KB

Download
memory/1772-111-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1856-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1856-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1856-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1944-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1944-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1944-507-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1944-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-508-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1956-71-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2036-464-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2036-107-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2036-466-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2036-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2036-9-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2036-0-0x00000000009C0000-0x0000000000A20000-memory.dmp

Filesize
384KB

Download
memory/2080-85-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2080-91-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2080-110-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2304-147-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2304-509-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2592-157-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2592-514-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2604-160-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2604-15-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2840-148-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3100-56-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3100-63-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3100-57-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3100-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3100-67-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/3180-513-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3180-156-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3200-143-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3320-461-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3320-42-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3320-40-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3320-34-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3512-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3512-32-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3584-151-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4240-506-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4240-146-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5036-109-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5036-75-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/5036-81-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download