fabookie | 820eae6104c5aa7150917a53e25fd0be9633bcbb7120ea680967a52467e41249

Analysis

max time kernel
134s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
Size

2.6MB
MD5

c174a91d2dc0d74cd27eb6d867360e18
SHA1

3331c256db6e4a10312be405feb4c65ef52305f4
SHA256

0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8
SHA512

b2f372d562f49f8de3a0a58412f92a0d6589d42ea30dd533ff4507a6df923c45db7c38e686d6e13d9502051a508833b8da699c661999dd221b049961401f87e2
SSDEEP

49152:erEOLD0x5+aJVXfxu3Eosp/qw7RV+uY/SUSI0hozrPQi:h2YJtosp/qw7ybHd/

Score

10^/10

fabookie discovery spyware stealer

Malware Config

Signatures

Detect Fabookie payload 4 IoCs

resource	yara_rule
behavioral2/memory/4184-8-0x0000000140000000-0x00000001402A0000-memory.dmp	family_fabookie
behavioral2/memory/1064-76-0x0000000140000000-0x000000014022B000-memory.dmp	family_fabookie
behavioral2/memory/4184-73-0x0000000140000000-0x00000001402A0000-memory.dmp	family_fabookie
behavioral2/memory/4184-573-0x0000000140000000-0x00000001402A0000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie

Detected Nirsoft tools 7 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/4184-8-0x0000000140000000-0x00000001402A0000-memory.dmp	Nirsoft
behavioral2/memory/4184-73-0x0000000140000000-0x00000001402A0000-memory.dmp	Nirsoft
behavioral2/files/0x0007000000023cd2-250.dat	Nirsoft
behavioral2/files/0x0008000000023cd2-404.dat	Nirsoft
behavioral2/memory/1708-406-0x0000000000400000-0x0000000000604000-memory.dmp	Nirsoft
behavioral2/memory/1708-437-0x0000000000400000-0x0000000000604000-memory.dmp	Nirsoft
behavioral2/memory/4184-573-0x0000000140000000-0x00000001402A0000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 6 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/4184-8-0x0000000140000000-0x00000001402A0000-memory.dmp	WebBrowserPassView
behavioral2/memory/4184-73-0x0000000140000000-0x00000001402A0000-memory.dmp	WebBrowserPassView
behavioral2/files/0x0008000000023cd2-404.dat	WebBrowserPassView
behavioral2/memory/1708-406-0x0000000000400000-0x0000000000604000-memory.dmp	WebBrowserPassView
behavioral2/memory/1708-437-0x0000000000400000-0x0000000000604000-memory.dmp	WebBrowserPassView
behavioral2/memory/4184-573-0x0000000140000000-0x00000001402A0000-memory.dmp	WebBrowserPassView

Executes dropped EXE 22 IoCs

pid	Process
4656	alg.exe
2400	DiagnosticsHub.StandardCollector.Service.exe
2804	fxssvc.exe
2428	elevation_service.exe
1064	elevation_service.exe
3580	maintenanceservice.exe
1516	msdtc.exe
5080	OSE.EXE
2192	PerceptionSimulationService.exe
3864	perfhost.exe
880	locator.exe
2320	SensorDataService.exe
4588	snmptrap.exe
2292	spectrum.exe
3724	ssh-agent.exe
3616	TieringEngineService.exe
4360	AgentService.exe
2580	vds.exe
4316	vssvc.exe
1412	11111.exe
3004	WmiApSrv.exe
1708	11111.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\System32\vds.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1360ab03e6c0d63.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\locator.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\HideJoin.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fab34dd71c54db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000632782d71c54db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000467b14d71c54db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b5cec5d61c54db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd2a44d71c54db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006041fad61c54db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000039dff7d61c54db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f8b65d71c54db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1708	11111.exe
1708	11111.exe
1708	11111.exe
1708	11111.exe
2400	DiagnosticsHub.StandardCollector.Service.exe
2400	DiagnosticsHub.StandardCollector.Service.exe
2400	DiagnosticsHub.StandardCollector.Service.exe
2400	DiagnosticsHub.StandardCollector.Service.exe
2400	DiagnosticsHub.StandardCollector.Service.exe
2400	DiagnosticsHub.StandardCollector.Service.exe
2400	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4184	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
Token: SeAuditPrivilege	2804	fxssvc.exe
Token: SeRestorePrivilege	3616	TieringEngineService.exe
Token: SeManageVolumePrivilege	3616	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4360	AgentService.exe
Token: SeBackupPrivilege	4336	wbengine.exe
Token: SeRestorePrivilege	4336	wbengine.exe
Token: SeSecurityPrivilege	4336	wbengine.exe
Token: SeBackupPrivilege	4316	vssvc.exe
Token: SeRestorePrivilege	4316	vssvc.exe
Token: SeAuditPrivilege	4316	vssvc.exe
Token: 33	2804	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2804	SearchIndexer.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	4656	alg.exe
Token: SeDebugPrivilege	2400	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 1412	4184	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe	106
PID 4184 wrote to memory of 1412	4184	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe	106
PID 4184 wrote to memory of 1412	4184	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe	106
PID 2804 wrote to memory of 4860	2804	SearchIndexer.exe	110
PID 2804 wrote to memory of 4860	2804	SearchIndexer.exe	110
PID 2804 wrote to memory of 4880	2804	SearchIndexer.exe	111
PID 2804 wrote to memory of 4880	2804	SearchIndexer.exe	111
PID 4184 wrote to memory of 1708	4184	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe	112
PID 4184 wrote to memory of 1708	4184	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe	112
PID 4184 wrote to memory of 1708	4184	0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe
"C:\Users\Admin\AppData\Local\Temp\0e096c7c7fdf3b3cb9bd341228c09bc9d92cefd9d9ccf3642d29b1eaa3ae68e8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1412
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2416

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1064

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1516

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3864

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2320

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2292

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4860
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b7a57ebffdf97103e8d5d7bc871893b2

SHA1
863212615b604ba5da13e4dff90a1e6a847fff77

SHA256
803cab536a153694120bee7c268c83ac1cfb665daac57043246d0ddf4d1d91f2

SHA512
20410999cdfdbeabff7f932848aa869ebed01ab25416a4b289e791c53144b92a9d7fcee01b06214bfc4a021f5d09ff30d99dad518c6cacb6e1954aca77b2dd08

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
1b54e2b32ae326e6b079cf6d7e829f70

SHA1
2aa3e01445e1d6d76b58da8732d7a42dfcd197e8

SHA256
91d6134db4f809cfc8ed56745edd67dc4707002bfcba9f047ba3cd3a0838bced

SHA512
202d609f866a97754c7537a15295213903ea66f32237bf48635ecb527db90452906bf5092645a2947aed7b279ef05339d1b728a6e72279f0a686d059b23d2d36

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.1MB

MD5
994158ae099ed9c5afee4915b04b25fd

SHA1
2d1d698fd7a8713a1314a149f0a56badfb00b3e9

SHA256
3477450cae53c2c05fd9cafff979db65268b7596750692639b6c2e4fb0ba9080

SHA512
2a06db36f1c9a96f40d66d9c9567aafa6a61a05b52af7b7daffee6d602f1557aee3b8ca0914c147866f3ff61ed617b58f782ed7f9315b67dbcefc449c01f3dba

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4813952c290b9fdae41f5d407b9b9f0a

SHA1
d9f6555a208dceb9d629be10de851f916760da31

SHA256
7153426cb6c1d293e36dfab9b35a97fe42c331f5393e5d947afa41bc7ed7a9a1

SHA512
3a9de3ca35475034e974e5511fcda8e13d7289ea0d86ee5447d97ee5e62ac0bf52e794ac8ae161993d6a3f1851daf6f0804d990649fc71755a398e828f21668e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1cd44369011e227a84088ad6d368f101

SHA1
29ffd5c81729eba1ebd1c916df1c9623384c225e

SHA256
324b1ad5889856ec6ae1dfc13129623a46de6cb9fa9366bc6d4642400b5cdf85

SHA512
114eb077a62b36a16d0005ec61d3435dc5056d7b2b31d512e717b87fe8bb837ecedd67dc72d9f9a9b90894c82a356491518c0ac3c617fe57da661ddf25f21ceb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
1806055500611380bb8a954fea0065c2

SHA1
a18ed37a5303281b830a10286ab30436520e23e5

SHA256
2857087ec04f4fb465d7b80364575dc381a4601086f3fbdadf545e46ba281086

SHA512
ca4376c6044210383cdbb7c1417f199907a0bab1811f93106521dbdd7715186fb6ef40cf4dee8ab756a120810b5496791a21d15ecc11b9f3f90b30cc77835377

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
63b7e781f411149af6bfd4f83bbdf8a2

SHA1
74ed55331c030da67b312d09796112b58b144008

SHA256
02cde1d957a139ae18fbebc8995bd6e3fa86b4666a1d8f2c6a71539618254ee8

SHA512
f5c512291d573e092ace8ba9b5794070fa1268b423c6ecd24f36e609639c327ad985cc6fc4cec377ded110c13e4867e2528f5f1ff30e082f2419a19433532bd3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ef3dbc1f9ad915bc977c8cd13e3c2c90

SHA1
b885e849b3e1fba6d3a1a82d829e6ee4bbb16339

SHA256
6f37641aed95cca83525b9c91fef41d35273448413d9d1287de3bdc6ae83c849

SHA512
97cecb8941a08011acc53df884ab2cecec355ae81a8c32a430eb9a3ba97db70f006f1d87f0d8a80e65bcf75fde936694b928f7de6054abf97e294504dcdbf6d9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
92fbc672b3637d82bdf5b9aa0aee3934

SHA1
23ab1785e40c0d7dd02c54f6910491ce9425b1cd

SHA256
37c947a7372b3bf44df0940367a732bc86a9bc6d8d1f9fddd6b82f125c6049f0

SHA512
792529388ba204e70d78b87aaf67db889d0bcf5a4442b559681c79907be86bed4c33a4103551b2ee78ef7cd5b7e15250d327a82968521085463c371c566c0fbc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.8MB

MD5
1d3ce61de3e8da717e822708ea9e189e

SHA1
294a164ec094286441419e5396b24b25a76bcf77

SHA256
e4f201fa05aebe11ccc717f4fb43c8ad3d225b990aaa8845a51a2d3ca7126028

SHA512
117d819f1bf05dd4d27655b2df2f25eac402d455212baa01eb53978d4204b8bb20b565bec8f4c9aaffb6e48a091863af1af7c9c740bce0f88ea792dffc6952e7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
0adbd820cea3483ce16f7f6082dc9788

SHA1
e70efe817947b59f1338c895a6923a9b604e5611

SHA256
2cebfdb37bf67162c6b6e426fab8665a52184e780b40e66dae1271af2bc7646c

SHA512
99a0361637877f96fedb79af6e5c3b18c7512419a9a12071610f321d8b077f9d290951821323c63a2511833eba1c52e57feeebe42a6ec7b6971f362d2d1dd353

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
20a2bc6eda6b9a3705ee98c0c908b85e

SHA1
d38d75c52f85e8043e03d5084d5fac52e585e56a

SHA256
ec8481df89e8e01cf1d2560eed312479bc737baf13a6af3e2d36f52083660823

SHA512
b28876ef77209426605ae9e5a60018f72425187d161b7f913e4f65a57066179351353390bc65013a40cca1150d8deef9c055ba37d333c715aa59d247fe545901

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
515271ec8d1f444736bd8901c2b77a32

SHA1
bca1ee5f0bc06e5e8a4dbb98dbd8f84fe8478602

SHA256
7948259e4e0f5f3f407e88d8defda777e6506ec590182e7dc0dd8b8d8cc88a00

SHA512
ef2a32746126c985f013fb42fa990d5109eb85787e9b80c87395df3ef5d1c0787188a50b3c58d2f0277fd175e20988f6e53283466b144ba2d130e199a123b543

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
241ecab1cb73bab6840ea7783eae4092

SHA1
bd15dd64dbee5dae94e7c6ecc9147eafde20fb3d

SHA256
1fda6b92a1a6dc9a5e984807a1e4c603475253a540da763f0e8f6464d3066128

SHA512
7c5f27a3f4716691eca7a451c2a5a2646e3eb2a8d04fdc040c117f5a0a5d1277bbc0dbf8e37215c52b90fc71b286e41f52c098b52b3d6208e7e53a55468831e0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
446176906b62f996f28b4b216b10bf5f

SHA1
7bbb1492b23547b25f5f4cda1422d3882622b120

SHA256
c777a4376a01155bc694355336aba0b816c1d37934679d253f82caafdeef479a

SHA512
059f53c0b9dc26a463b4b0cae3d5e52867801fa408a08983d320e13659bd8f7b14722831d72dbbcf79d67026f79a0ac599360fad7221b50ccd4b898f2bd67563

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
f06e4398101508b548e8755edeae58b5

SHA1
18ca7fe1438ec87e68ae8c78bb1b6ff7f318ea78

SHA256
9329569d9761afb1d486dd2d9cacb19708d1c6f0f1fb370555f77550c858b0e8

SHA512
f31cab4ded53ad5ce22914ddd8baf75e002d59a80558c46287ceedd5e1b094e447fa1adfc1f0967825aa540d46fbbb027fc98e9f934ba315bf5c0df16f76f22e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b57bc84687d128c47d145953a5cb12ea

SHA1
8bb944c3397217e1947412f85906e72807c9a283

SHA256
baaccca65c1479821cc9c4076436fb47e3df0381eeda36eca4bb8e802778bc40

SHA512
c6d38b3ce2cbabfea5abd15b8b998ea83a70f05efb728fafd3b5176b389e6a0b5404c299144b153229b24376edf2887d393414af40e734f354ababfbde288efb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
0d3b9c8600e58ccb4d96b4cccf473803

SHA1
fc4192cdca4b0d11ca1ab3319df8e5d48974d93a

SHA256
7c79f47c9fafc6c91c5723fd323086795694ae018c605fc1302d65a5f8a98095

SHA512
c788408903167f7a034dfcbbe1a31c92515c05db77e69a0e4dab04a388568f27ef0da580427e3718595a3aa1c287ed80334fc1372a2a6e74a01f2768bef99172

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
d55e8e3d523b43934be2e55ff475ee06

SHA1
03dc66818d7721eb93ab68533b9c8190b8519028

SHA256
05f28f33e35bc8ffff821e5cc50384adb4d4c3ac0eef07ca77e9d505306812b2

SHA512
f583e57763b793f18de7222aa129bc2e8186235a8b1a1abc9fa474836b2799bf9f29465000919ab5ffa0f0aafe1897659fbc2f0b8cbae9a3f968494b5c34ec47

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
44b25de20654020f33dc635ccdd914ed

SHA1
f43543e5c745ddf44dc2910af8bac092e4a434f1

SHA256
f5fcf9cc400714a66588de74c30e816b7f5cb60a66c891ddec37bc5e304a768d

SHA512
c3a2329b4f52955564656cac2c7aabbf90f75d56570df85867c8ae10341f657c0b5f4bdeb6654c1fce2db35ab64e7bb7eb5985ca6baab8c5b016584ab8dc752a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.7MB

MD5
1c46e7ba886f031f37e16adab3b5badb

SHA1
d00a52c1fc3650b5b4352ed9a4547a4dcda1b688

SHA256
01541d8c27806c05704a9ec76a1ca9a15b5321d1174d020f31d8df6d73c8e194

SHA512
a547da9ad10e4120b42b7ff83da477170453f634593a4627a918df1b24855c4f7f9d34f90050b619a6bf2bb46b1cde90a23c49585c07a4b334c6e636cd045225

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
7708161b868ad9da61dedb421531b24a

SHA1
bb162bb43eaa81b9513cb57a2e0d66d5ac3345d9

SHA256
0c3b52179e573f6d7c091aaa870b6a6c2cc1a5cc4984426cb4a7fea0ef5f4a7b

SHA512
3fe5f2ef4fc43397ec66fb3b8430ffe84721970ad578d67e01fbfcabbf414c3722937254866074544c28b7cf3d804e26a8da13f4f09c755a2f1453405a1d2b67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
8e044014ae17e2212328019e2fc5b0f2

SHA1
07ff09233475913e62ac789c52925079483352aa

SHA256
f61a601da72c58b868c508c7eac9f7e88d3fbf16a34abf695455f07da0057970

SHA512
402c1f09ca1c3a3d71b02eaba4a035a5dda22139666be6caa05f5ce31837a310926a9cf964269cd47bfff8cb752cb8d9ebc072ea1933883ee501b9c02207fac2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.7MB

MD5
39f533a584733a6851c2ab820852515d

SHA1
37772085d5e865d80fd8b52e658c0037b8dc088a

SHA256
6f4f6b4d73e5c604d8d0c37d128e97b2d8f7b343c2989ba80856af7bd7b7bacf

SHA512
5494f40a4fcf17bdf20971759aec2e6542a61fd33b861c0c406fe5505bc3c8316d8ccb1eb7a006e8d1df39d0f88c125772dd3cedcb7f89721c59d39bc013bc75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
4e81f579f8baab1f1477ddddb930c17e

SHA1
a3fc430bf856b192b22d8ce41fb2f94d702b81f7

SHA256
0f88f6261c360c804c05f50d838bbcfaff697c799036e2aad0bcd9173dbe1b6b

SHA512
a08a8a3c48ae425b68e06f474b308e970a9c845373903874abb59f3ed48d60997059ddef7fbbaf688f200a1d32e13994701f42367478d03277c83d6a2d79f4e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
2.0MB

MD5
a3e12e7536dfe561caa2492e829d9a70

SHA1
d6f4faf542cec4a7c5bf1a24660029b7ee9ba16e

SHA256
7d7e3983a129a4524c05f1888686ed94b18bc59255957921f6e44890f0fa0fa5

SHA512
8a9a66864dca76aa127ae980625bfd8efc9602094a898da9cf78a76fef3d4dfa468c71a8f84bea429e792f8a2f844f041adc2ba2142620e9d3c0f3f69389749e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.5MB

MD5
1d5c18b6905e7740699f50f7e862b330

SHA1
ae0b30d4c367939d3d83f4d6015cad5d1c70b9e9

SHA256
6bea17174c8cc6993a3e0d2258e50a17860eb1a72e1a34b38f17c7e7dbb988c7

SHA512
24eaf5d3b43f349cbbc451e9b3d72d9c0e2d1ed8c42fe7e59eab563dafb371410e653922a6bd30bbb827c48e461fd2022e2d25c78a313daec64ebcde95acca8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jmap.exe

Filesize
1.5MB

MD5
5c331f2f7911adb622056102ac7bac40

SHA1
1c224fc29eaa02b47ab713e79d7f01b49abde2d7

SHA256
2b9560a98b0eb692eea3cc2c9300ff88eb40478bf14c6b54ce583d0019fd369c

SHA512
f6c1052edb70691c4c5cc36ab0f66c43130027ea409a9fbdcf3fabd4be34ca2209b5d2ac9adb9ab2703296d11d64685dd1c36b3806aa5f281cfd2c37f32c78ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe

Filesize
1.5MB

MD5
70e36e84b3c573129b7fb7de5cbf035b

SHA1
958b2fa032c62400449a3d43045b8cb95ac32697

SHA256
85bd33f37b58ad0f2fa08ffa74885eac283c4f6124d6346c333dee5da4d8fdc1

SHA512
31ec67920fae54ed1cf0949acb7f07a672ca40d7b4106d7c987f4142c5b026b9c9177eccace203903096db59fb4f5128adaeb772ccd44d59b4c7a39b8d14b567

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstat.exe

Filesize
1.5MB

MD5
6a43a728b6d35f18b2568574374ae305

SHA1
a51d194f8b7378fdf4c8415633b939252c839742

SHA256
f856a094468056a6d1c7b1c00d06d23346a8c0643fc12051ca66308b17a2418d

SHA512
0fe385595c184dd473fd5891fa6ba94ffde33556c0f85d9a1a52fc8c63a13f0a580b95481652c41234be8bcb0e6216d46909c0e9d122aed8de097b287f0cdf9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\kinit.exe

Filesize
1.5MB

MD5
81e72a04db428ee6579d3cd7de0ff927

SHA1
961effaa097d90c8d2f77a277b210600e080316f

SHA256
d2cb9cc8ee82d6b3026616e3cbd38da74f683997a5d35961b0b9c44d8a623bfc

SHA512
4fc08ea6c32f65a4a2aa7ee82adef55e55098578a7cb6cb4c2884c3af91cbb18e0f582608dfa023b6839cba76b4e8f4cdfd6a59d2136701c3f4a72996f662343

Download Submit
C:\Program Files\Java\jdk-1.8\bin\ktab.exe

Filesize
1.5MB

MD5
b306648c7640a41a35a5e8c13800d7db

SHA1
0ce154ff5e09b86b3591ae3c87e68278ca34aaf8

SHA256
8dd7899738d8b8af06dbd202c7a799ee0552270bdeae9473290d570b75cf4b44

SHA512
acc6f094f88f2c787cfb8e749d1ef79f056b0c9070e6766a3c8c03db1c66a3cc9543290b67052eee8c319924933e5215ca6c8d7ff08de6693a325cb496f2729f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\orbd.exe

Filesize
1.5MB

MD5
9b9bee11a267a6a64aecdc88a59f4007

SHA1
c2a7da50644e308afde1f388a987ab3925f79ba2

SHA256
544a51bc5fb2f5fe516eebf0e5caf65aae0f8babe91630f7fda32d2ce2ba3994

SHA512
d795a7e2c5349dbd6cea5953a7e3e5c528f9a43ed480fc0b8b28be5a6b07319dd88d27d233c6b654e6a27eddfc3d22cdabd5639eb6626e02fadfaed80c172f9e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.7MB

MD5
ec429a8c4a73d20c446d2d52049c8b70

SHA1
4acca63bb24be14b740e3212ba86832b879e45c6

SHA256
7b7eb4a89b4d016a12cfab4bef12b56b93b29f45e04721446b8249d07f3a151e

SHA512
5d46d7ab7b9a7ddd518f5c3bd033f02b12b84f9daf4ae80b5b22ad0e6232c767da655284177d49066343ef1c93351538c1c58c248487321a54fe113214f27dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
458KB

MD5
ba3a98e2a1faacf0ad668b4e9582a109

SHA1
1160c029a6257f776a6ed1cfdc09ae158d613ae3

SHA256
8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5

SHA512
d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
1.9MB

MD5
d27dcfd071018a4d1e62bb07d2930737

SHA1
98e1781a09233bdbe1d906c46d0662a7f449695c

SHA256
4c3b9150bf484b0611bc7173b52845baaab57f2a45aa8cefc4d8e5e465394840

SHA512
840e1df1a136298b1374f756e1aa12a778c9480628cd401ddc55a7fbb73e6f95083d8b8a7109b0c11a0d4be6373d446e10821563ddd44ee912f9eea54b49483b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
3d4c08e0305687969de78f4aee28efcf

SHA1
771f74f271f6a11682748d45bf4af001aba77bb3

SHA256
1503e9477eb640b1befe748ad5e10f04593ab144fc2cd748d0fa65d267b43fd5

SHA512
b3da9f9084a31a60213da905b4a8aacf204efeafc0b71816ef91266ab57fd8c8ee8a1119f4aedc198e220af4ecfa2b91a30cf06957cf7261354ab24a0c591476

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.6MB

MD5
864d2298c858ef798866990ce4daaf37

SHA1
d8a5abde92888193d72c77ede86aea0c91769053

SHA256
1d9942bb38069f10485ec2202fb809cb668a2835db2a60062746d0dee00c9296

SHA512
c0c4ebce85043a788e6de7ad01bd0b748a8984a89c5261846b2738f1a70456c26069e97e075132729336e6747615ed6824be78ebb65d99b3b8391de12aa2f41a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
79b253f359afbac49308776964bbce14

SHA1
46551f07b6002fc872f9fc845e99dd31304d01f7

SHA256
f89a2f7c00f7252964e068ba6a2166134ad9d67026887361f955ab6ec7e583b0

SHA512
03ea3a2cef0ed76cce99835cc078a4e382b8fef330b40c39fc51f1d191eab2bfc553da8866e0395deb8db71ae4ca9baf3a3de2831db1aca0d44b2da96111c92b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
ef582b67856e0747a7064cdfad1cfd13

SHA1
3b39ff5c99551abdf1e623b61c2c89acf80d8339

SHA256
3cebcc24d8d3f2e9ac8a79c48dcdb44118629e95998832170326329cc64d07fd

SHA512
1d37663103c0b18da846cee2758e1ced10f2120533adf5afe4c24687efeb207cb2a06f5fda7658687271d5a2c1aa36dcd7328408d02476c9ba2bb04514f2e7ab

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1da68411ccbfbd486e37f72abec94451

SHA1
37514781d3ee68a6e03290f529627bccb2c9e9f7

SHA256
131a6411312370d1a328eecf5a5a8080c7369037f6401ca21ab74a7a40717d64

SHA512
d02837b9575ed964ed7f28f1f029c23d6fbb43291f0df5f9104adf50ca4ff3ba10a09518f26af89759492eaf8133e9e7b6f12b3a74fcddf33660f95c39264d29

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
0b86ca809fe4173136479c169ed4d31a

SHA1
b65198f12365fdb02b7932109819a2b744b8c68a

SHA256
71c8dcbf417461746dc119618089c438b59442fdd74d36fb7a83917d4945b928

SHA512
b44b8d025627021b176c8d0b766acf4cf5a42abe3ecef47b1e26cb51ed398313ef00f3aa0413d75c10f8f303e927adce0b92de466a44820dbc90dc6ef26925f0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
d7ab1446cc4ef9e9ded654be5fbfb7cd

SHA1
3cebf36f59062b15282c9b47c743e4cbf7bb7d92

SHA256
53df0d355f67e8109e518d724bfc8f5462cc0dc87105c9f8e85eec0c35769211

SHA512
33a574bee02f8f946bb4f3de98feed6486f23df05e7f8c8977781c4dfb06aaaad66f01e0a3065d807876c09bbfac97a63beb196974f4cf2dc39cc36a44a6d483

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
9733e81118f8f15d1d878d2214560cac

SHA1
9b84e64bba3e35c1de0004a55bbd7bb1e82de1e3

SHA256
2ff13b1aa308773cd0dd79c47bcf74c008ddb44063e143cc8dd669732fe31ca3

SHA512
adc3f6aa392e8306de011fb8163f215b51c7ca0ed088fb11a049a6a82a6f1c1d84d9e7addcf51b75ce2c8dc61caf5e8d4f10dc03e33886e0dee30ddd0d94ad7f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
44fb7e1f1b87e294181af321f9ff6acf

SHA1
40a9f76994a8362a6c50f8ac9b1bbb61edaf25df

SHA256
177c9f1438e9238195263958e87cd0c3d1d1cccda3e7aa939693f8508d40bc73

SHA512
20deeebe787a93effc0d18921b0d20a79814f33e5a40274eeab892d8a8cd5bc30880cbdbb68009c5ff1e07a1b5bf2ba5e638934f030a8108e74510e20b0afb41

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
421fd1bd80055789d330b4265cd0ae6f

SHA1
ee02743fe2a786ffc4ae11249d21c65746a1505d

SHA256
7085042730df27d791d09e9074ae001d3a2cdf35d028fce17cc9cf417630523e

SHA512
73ac00998e47d3b5e0fa66e2f350e59f45c84222d9bf78e5a832d77e30bbdcbc0a6c95b954192300816613bfe7d5c2c3deb9a1782cdfe6f110b6481963d9c3fb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
7ebc4f746376429ca1b25b71dcd8a2cf

SHA1
754887d7614ff8f91878cfd7267a921e569bb4e3

SHA256
5d1b690aba06299e17587918801af85e9a0e93d3374fd2d33b7af5c4eb4aa7c9

SHA512
9584c81866c9ab3a89e792233c4de42fe79e419d851f45bbcbacbebea31df7044438b60165ecff52b6718e072898b6f23ea3594cb42b6752bb10e2ad4ef3e8be

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d2aa5ea2eb2a3d011e6bceebcbe3d808

SHA1
a475bd76dccd7ebf76da2b8eb797f03b94ade7ef

SHA256
03f5c400aa20d9d57371e096fd4af7ed5142062b2db3f729b3120e5aaee46f9b

SHA512
9a4eb603a351508bb6b0750b8506d86c64aea31a6136a79746f61651f15aa4b0c2b2d160e1d1df2447fb636f05cc2c281a549723ef32e0711b7d53f9e784f42d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
e0f2859784e8fe3ae606a33a51009503

SHA1
3bd47ce6d044877d43b548e6783b30f58196fc7f

SHA256
99bb7704e23e38bbcc24138958156f87f2e27520fe4a8e5a35ea7446cee69f09

SHA512
79abc862d12e5cc06b111f7a9ed610ec01b8a4e26c8fd7dc27b4ed084b4e5712a7f95c0b7ede171d1c98b2b1cd349871f364ec0dfa30810ebefec28c2a300830

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.7MB

MD5
2bf01c7ec1cb41ed2ac8909c37d740d6

SHA1
ec6a439725373ef4c36ce2cf22fae64f56be04c5

SHA256
06d170631498f9e8860043c1d02400f90f3b40fbc6be475bcd9f3aade8b094a9

SHA512
8cb72589b9fff72e7babd79c6d086ff3fda6ec49535d6caba30b99b955b55da66fc39b4c480b5e3453511cf9adec806c538e49e32ca39c6ad49515e499fa203f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
ef00411e0af2f01fc063a9d701185adc

SHA1
27ffcdc28d6ee24bf73cbbfaf1834adb7e5144ed

SHA256
22ed6f1d15f5f99c15b4555510fe711e199f1ddb2b17577fad67da91e4f2239c

SHA512
68f1babde8d0e720f7064b4f83b1890351431c5016b61624f0468690fdebad4bd306cb7b4ff854dccd20fdbd5353cb864c0551bbba710d8bd83e0f2ebcda57e3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
31434aa37b43ba66bca771c33b6f4d93

SHA1
b6b51d74940e10f5c6cfea31eb77651d87f2578f

SHA256
f7e2f293757b2a08b395cf4cc34780b3f3b53cb46e787fa628f4f76066e5a461

SHA512
c0d16d4a2225c7624722fb185277f9382389a5804e4f8a0092f9a1084e9c1708a64569846921f08996ba82c9b3ebc58d8eea0e95d69bd1d393f51ebe51d175b8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
249fdbd3afc247c70c1e257285b73743

SHA1
9f971068fdb56edf9d14b511b2ec12346aa6ece9

SHA256
30e066d1f2f80821bdbfc71c950bb85c8ad474d1761743fbeccd3d9574ea7bd5

SHA512
53a2a0c1ffaf83f7be4e1762b18f8cee09a09f8c12f17cae20b2da3b2afcebcb3fc2bc1feee5920b273ccdf0ef9d11f4a313a43b5f52790237bdaf3c6f5bc73d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0307f005508bbcf723859f1489f79fef

SHA1
61fdc15b853f789486a0dd1efabe957ac4d1cd34

SHA256
3cc346794b45983ba01415d40f341961e418a7d072274e7ae0ebb29480553de0

SHA512
f784dde0aca83d03bed753ec6a2ad90e14100cc8447fbdd5f0677e07981b3555550cac016a7632e36b60fd3a2a077f3bfa8e6c00e67bf401e2dca91fbd9e447b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
6992b9f13f4d4d58f0f2c758f1c1dc15

SHA1
6eb61283b103598287d8fe03f58899d63b170026

SHA256
a44b3371c166a881fc08654ffc0e9884035e6a14b607ee77381a00b3f372387d

SHA512
db94293b0dcd622c5f8be2db05e881f2b2017eaaf68c0fb233d56a405679f700f178c9e43dd7565519e05ed2edd95eeee8e8923186dc924190fc5b45e8be94fd

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
d33066f3d4a05fd7dcbd7ce462050c61

SHA1
b4cae39570dfd67f8d4612f8a5caf7a8c3300320

SHA256
e7d9fa519ff4c68e9b7bce3edda193fddb5c41f3e316364ebb4a0da145e5e88d

SHA512
a4801b8c3fb12915e07d7664110343e26c9ce58c74acbc06473c53e3a7b4a339f2f4bf997c0f3ddb5651cd54ed115c5d5056c42644cec4e99414155aa7e23625

Download Submit
memory/880-260-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/880-144-0x0000000140000000-0x000000014018F000-memory.dmp

Filesize
1.6MB

Download
memory/1064-74-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1064-76-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1064-191-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1064-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1516-214-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/1516-94-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1516-102-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/1708-437-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/1708-406-0x0000000000400000-0x0000000000604000-memory.dmp

Filesize
2.0MB

Download
memory/2192-244-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/2192-128-0x0000000140000000-0x00000001401A5000-memory.dmp

Filesize
1.6MB

Download
memory/2292-370-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2292-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2320-558-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2320-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2320-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2400-127-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2400-28-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2400-36-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2400-37-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2428-52-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2428-58-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2428-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2428-178-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2580-439-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2580-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2804-64-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2804-49-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2804-560-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2804-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2804-41-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2804-65-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2804-276-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3004-261-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3004-559-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3580-79-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3580-90-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3580-85-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3580-92-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3580-87-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3616-405-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/3616-203-0x0000000140000000-0x00000001401DC000-memory.dmp

Filesize
1.9MB

Download
memory/3724-192-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3724-398-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3864-133-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/3864-247-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4184-73-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/4184-8-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/4184-9-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4184-573-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/4184-0-0x0000000001FE0000-0x0000000002040000-memory.dmp

Filesize
384KB

Download
memory/4316-245-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4316-504-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4336-505-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4336-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4360-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4360-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4588-356-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4588-167-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4656-21-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/4656-22-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4656-13-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4656-115-0x0000000140000000-0x00000001401A4000-memory.dmp

Filesize
1.6MB

Download
memory/5080-223-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/5080-116-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download