fabookie | 52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
147s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
Size

2.6MB
MD5

ac61bf11750f832e0bdfad0586636219
SHA1

503e037dc47f53c8f8d670548013c81f69a51707
SHA256

21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43
SHA512

2a1ea73fa22efd35c2a17dd5a6f3e7724103c9d7ff4e0c41a1bb973ff55ba63f4d3ea52283a495ea68848495be29a165a8517b7d6c9cfdf8779650f795beecdf
SSDEEP

49152:hrEOLD0xg+aJVXfxu3Eosp/qw7RV+uY/bLNiXicJFFRGNzj3:C2lJtosp/qw7ybb7wRGpj3

Score

10^/10

fabookie discovery spyware stealer

Malware Config

Signatures

Detect Fabookie payload 3 IoCs

resource	yara_rule
behavioral12/memory/3416-71-0x0000000140000000-0x00000001402A0000-memory.dmp	family_fabookie
behavioral12/memory/3416-6-0x0000000140000000-0x00000001402A0000-memory.dmp	family_fabookie
behavioral12/memory/3416-479-0x0000000140000000-0x00000001402A0000-memory.dmp	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie

Detected Nirsoft tools 6 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral12/memory/3416-71-0x0000000140000000-0x00000001402A0000-memory.dmp	Nirsoft
behavioral12/files/0x000d000000023b83-152.dat	Nirsoft
behavioral12/memory/3416-6-0x0000000140000000-0x00000001402A0000-memory.dmp	Nirsoft
behavioral12/files/0x000a000000023b96-374.dat	Nirsoft
behavioral12/files/0x000a000000023b96-372.dat	Nirsoft
behavioral12/memory/3416-479-0x0000000140000000-0x00000001402A0000-memory.dmp	Nirsoft

NirSoft WebBrowserPassView 5 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral12/memory/3416-71-0x0000000140000000-0x00000001402A0000-memory.dmp	WebBrowserPassView
behavioral12/memory/3416-6-0x0000000140000000-0x00000001402A0000-memory.dmp	WebBrowserPassView
behavioral12/files/0x000a000000023b96-374.dat	WebBrowserPassView
behavioral12/files/0x000a000000023b96-372.dat	WebBrowserPassView
behavioral12/memory/3416-479-0x0000000140000000-0x00000001402A0000-memory.dmp	WebBrowserPassView

Executes dropped EXE 24 IoCs

pid	Process
2436	alg.exe
4040	DiagnosticsHub.StandardCollector.Service.exe
4724	fxssvc.exe
3592	elevation_service.exe
2120	elevation_service.exe
1740	maintenanceservice.exe
5032	msdtc.exe
3012	OSE.EXE
4804	PerceptionSimulationService.exe
4176	perfhost.exe
3424	locator.exe
2904	SensorDataService.exe
3096	snmptrap.exe
3500	spectrum.exe
2804	ssh-agent.exe
1728	TieringEngineService.exe
5076	11111.exe
4640	AgentService.exe
1424	vds.exe
2192	vssvc.exe
5028	wbengine.exe
2428	WmiApSrv.exe
4652	SearchIndexer.exe
1008	11111.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\System32\msdtc.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\System32\vds.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e7f30ad238f5360d.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\AgentService.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\msiexec.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\spectrum.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\wbengine.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86328\java.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11111.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007472c90a7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec24610c7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069bff60a7d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b378f30b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000357bb50b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a85dc0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aaee080c7d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024718e0c7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1008	11111.exe
1008	11111.exe
1008	11111.exe
1008	11111.exe
4040	DiagnosticsHub.StandardCollector.Service.exe
4040	DiagnosticsHub.StandardCollector.Service.exe
4040	DiagnosticsHub.StandardCollector.Service.exe
4040	DiagnosticsHub.StandardCollector.Service.exe
4040	DiagnosticsHub.StandardCollector.Service.exe
4040	DiagnosticsHub.StandardCollector.Service.exe
4040	DiagnosticsHub.StandardCollector.Service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe
3592	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3416	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
Token: SeAuditPrivilege	4724	fxssvc.exe
Token: SeRestorePrivilege	1728	TieringEngineService.exe
Token: SeManageVolumePrivilege	1728	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4640	AgentService.exe
Token: SeBackupPrivilege	2192	vssvc.exe
Token: SeRestorePrivilege	2192	vssvc.exe
Token: SeAuditPrivilege	2192	vssvc.exe
Token: SeBackupPrivilege	5028	wbengine.exe
Token: SeRestorePrivilege	5028	wbengine.exe
Token: SeSecurityPrivilege	5028	wbengine.exe
Token: 33	4652	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4652	SearchIndexer.exe
Token: SeDebugPrivilege	4040	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	3592	elevation_service.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 5076	3416	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe	99
PID 3416 wrote to memory of 5076	3416	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe	99
PID 3416 wrote to memory of 5076	3416	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe	99
PID 4652 wrote to memory of 2856	4652	SearchIndexer.exe	108
PID 4652 wrote to memory of 2856	4652	SearchIndexer.exe	108
PID 4652 wrote to memory of 4660	4652	SearchIndexer.exe	109
PID 4652 wrote to memory of 4660	4652	SearchIndexer.exe	109
PID 3416 wrote to memory of 1008	3416	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe	110
PID 3416 wrote to memory of 1008	3416	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe	110
PID 3416 wrote to memory of 1008	3416	21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe
"C:\Users\Admin\AppData\Local\Temp\21babdc97540ee61d23b9f1b431716e3987dfe8b35fe21e38b4dace528f49e43.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5076
- C:\Users\Admin\AppData\Local\Temp\11111.exe
  C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1008

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2436

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2980

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2120

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5032

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4176

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3424

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3500

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1268

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1424

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2856
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2ffecd51452e1b3b4923d044ece6590f

SHA1
8e1980d4a34ea5c1cb409155ca853275e6deac08

SHA256
4098b3e1d0c2f5e9141683fbc4f079bc8d88f4156a70ed23ff8b7a595cbf2db9

SHA512
e72eaff2585ffa2fc5dd5081316e303705d80913c9e24ed67210f21b5b4bf7394b6f421cb55e41e8d845ab62ac42eeda8b7bd0417f15702fd85de5c048ab5406

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
1515a891145a837329ed8c758bef960c

SHA1
2fd111068dc5a3ca4582e0abde10cf684a37ac53

SHA256
9de31059d19aa79ed849e8c648aaafa82f37c71159775687a8b766db407c0068

SHA512
cd21bea995dbbaf70a5efab8a1009b0f57839570dc694ece340221795882ce1fdb6bd4badf013e60379457cf1f2cbde4d0ef9fbe057ec975acd9e0952a1f7c0e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
651560a7a62d5448f4d9cf0f83712465

SHA1
3ef0ea8511cd72b1258ff88895050ab3058737fa

SHA256
59b86c1fec382be3faa65d7d93a983aad6fe1966bfdc545da0d5a7d41ec7227c

SHA512
59e5d65cf161157cbb904133feab780df6f2abf1064e4a0b0c61214522abadd07e7b387fad2f080a4efa3c468e469631fa08285155d9b652e857dfd41080ccc1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
890b4e9ca445f4f71eca006e06368fe2

SHA1
e50d8a0f6243b77e9c2756fd69031882a45efe65

SHA256
2b04e754ddc969d10bd46f3ca7b67dbe1e1c7ba1a9658a959942a650c0d53a61

SHA512
e92edaec2d042f3cafbb9fb7cdcbb169a2cbadb6215785f84b8962ed863a68fda471e66f05ba9d9dbe8ab641e3e6a422a76c6df07cf40d6dc9b558c3c84a4318

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8409b5fe8fe84e101db0c8a3d1133d7c

SHA1
51b84a46aa957cdd740f0ffd358c2d5ce4fceb73

SHA256
61b8787800295e06af4a4c612dbec6835bcc19ecd9c2f3b539652da793377cb9

SHA512
22d8b9bbe8d41af992778ac44c17ebff4f82834548fb6b98165d0ff71e53a1e1aa8ceb0de1efb1694194a679132a66c0ab7dc5c22f76bd0b5a74986be514c5bc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0c01bb3423e50cd45c7177c620ed87b7

SHA1
5256590b0954804abb79ec57879a69efe58b28a6

SHA256
e7f2885437b52fa2ae08f899ac2007b5a5ae6fec43a55569182d1760aa260b81

SHA512
6976e27ddfa872d58401821ee34f5c1e9a0f16e903a122589f2d2e3685b0a27b9dc1bf2dadda03dcea5559c797c5996f134ffa42a490c8b39b75ef2025d300e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
69568c4606ff9b3da5c721dcd0baca3a

SHA1
cb9414e3e6f088b439481548adcee7d665dd25bd

SHA256
c17d45cb8fe345a4aa255610e9a16b378b5a253263127a174d02e7e184ce1c59

SHA512
fc2504cd86e59650255f067cebd7ad1d81dc3944553344179ade602b941bdefc6572dbebf397dbe6e72f510c5c7ca3d2f8773a3ba15a844f813226b9206ad4c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bec21b4acf486058e05c4090b5f0c368

SHA1
d367aef25d29ea18fc7b67061df7932e95b01a1b

SHA256
9fafc26a290123b07f02d23624982e00ed5b9667ac4736b767347fb5726d37b9

SHA512
9228a8b022c3530fa19b24a79880be2b87ca8c6df66ff65b736ef1ae207a430f6c33f78f282fd1f7dc8f6301dee0c25b60c981f45a621576ca821997c6d78419

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
59c91000ec590ae28904dd629696778e

SHA1
31677dbbeb2866f92a93fc57438eeb5d47be43fd

SHA256
a8653bbb02b5b3f1d846b0bdb5ba6253ad553f4eb4e7a967fe112cfaa14071b1

SHA512
0fe32c6ecc25615664b812ac4ed0dc3e87f63b28c950eb258c5a41e465e0c9a7c48dad4d3930738eef2783adf1fa7cd45548b13c6a287525c5b76cbf9850918a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
38de1918ff5b2d3b7dce3056fe2f8a37

SHA1
0c63c8937730e23ced1ec084a66ee9eccbc882ac

SHA256
c9b0f37016ff6b25d80f52bccf6fd471f3899a68d2c6c689bcdcbb83f85981c4

SHA512
4c019aa64e90ed4dc9c0b9a6a35a991db9494e37c245e36bfb1a99ac6ecf8051ef71c8196f664083583f8cac91fa6ebd0c1adebe9edc048fdfa21c54964b16bc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
283b8ed2979c07b35bc58fcce1e5df84

SHA1
66015b471bd4981724764e21c0d449337072735b

SHA256
9aab2b4b17d1dd121c7b2aa5b730cfbc375fc495e27967e7c288fcac4b001d6f

SHA512
76974ea89931398e6b331fc9533fe22635cdea0c25d2f0a46b8a9041ade9e116e1b22fe160d6072136d50b4f49aa65c58824eb3d62c8dc507cc1264e7c4232be

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3a44d8a376ab60e78d9e0b961646c165

SHA1
9920f6becc71f022e5dabc1e72133f5e9994a47e

SHA256
c45988420454b90dae33193dacd0f22ad26c781881bafd96a94fe5cb437fe07b

SHA512
333986c7d25ef475c54e6b4290c2c465bf1ecf9c40919298f0f36c3302ceabea25adce5750a90174d0ba40d13339e55c515c53e375cbbd5729370ebf8a03c1ae

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
877fac13943822f411e1463bffc8e817

SHA1
7b3127b68549ce89f8f8e1d9b6e73acb732de540

SHA256
bdd4993310f63fce9351b7c477431d7215a6be2a537e18053076716575e2bd5d

SHA512
838025de4984529a460dbd63179d611de83e1b99954a0e9d89add95d09085cf889e4a94ce9f4648f61ea3a8f5d8935d8331556dae01aa7bd88f190b2c808db00

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
ece8463aeba93314b696e074b68ed70f

SHA1
ab2c82231ac8e0b76ebdb7e56e569f6f51d86254

SHA256
37cc4cfb0d1039c5e03d6e0d3bc5c0966397bbc817a7475609bd0ec46efbc1bc

SHA512
61ca473ffcf2abe4b112ec4ce7a67a6e776696d0d39276c2c4a1122d0d5c14d16c2d57ae6e2024c600fff815812bbcbe6301e3100c2b54b1abd6825b30145175

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
c28d7c34e2288d27cf8114a9761d1780

SHA1
13898526c94bc014d7765d94b675fd9dbce0a0fc

SHA256
128798e327db1f86043d0d5e59184cda540ba9da65000544d0d85706af20a064

SHA512
290017c91c5320b412341caa8d36bc0f4e996fc27b3c52847ed27a3829aea4eb4d0de3c6e6b2ca40990f6e74644e473338d8784180fcd3fe3735a0095dd31af8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
ad403475356fffd8f4632d8d7b40e304

SHA1
3a0a7db27727d7922947f8074d309585870e797b

SHA256
37d63976a9b82ca9b7c095b95e0fdc5bc8a6057c9355c77ce74cee0eeef15695

SHA512
c55bb3721f9292ff74432e3965fbfadcbf087e194d9ef692b5bb6f346dbf97939e225ec568fc7d176572c2364d4089534c64e48b25c4dda6ddee2f16424bfbf3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0861b56e3b9198e88bf5f4a826efcdd2

SHA1
186c5817b0674120c3e73696a6ff34e8ba1633aa

SHA256
6d806cd0c55a878ff8ac0a80454456ddd5a0c8910049b6f7b82baaff6c8f766b

SHA512
80d59ccf694eb1f0b85f386490547827867c66e463f9076b17d037279a71d0b6e6202d5462a8fcf766fb98922e62b62be5df988d058549f8654f856496102290

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
42e51d87b1510ffdaf1232f7740e1f2d

SHA1
ccf9b73aeacd452d197495ca88868831b1d75f0a

SHA256
3d254ae686976264151fbcb02454dff6220f945f9f8f4a3d4ac69aaeac48f1d2

SHA512
77ab22fed6ccf859c33a81d9cf8cfd81aab7b1f7afbebaaa663934e4a16fff9b9f386d9e709704ac79172657b7e2a468f041d6108e8aa62d863ccaf71234ac78

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
2c8c4b04bb0d525fac97cb95bca77f7e

SHA1
6def234e6476be217de32025192ee506f66f4c73

SHA256
ca2c10c53e52129ca00a01de787fc05cb2177b63077531bd681e6f928ab7fde3

SHA512
c3639ba25a53af0998a33fefc66c8b3dd66050f88068ff0562e29d840a1857e8196e87654aa3c7b49b280cb13a44734ee6be5db6a20301c7c4e2732f0c39c5a4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
85798acef413e2fd5e030036f29bdf3e

SHA1
fc7949f08e01f8ec1b998f984fb4ebb7d7364f02

SHA256
b6817a4939658edd86e9c93bdc8f4e01fc230af0a59f8488def6965bf5d00fec

SHA512
78599dd7e37e9d563be671c17f40b41c8236252fed892e06d8ffbb8299397b7ec3e20f1a9ada2a1b62611ac7fa75e46636f17148fa551606d73bc0624a3d7d5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c0ee73aaac34e630ff4d5d8f61ac3c39

SHA1
75c253a00a1be40cf8820849bf434d038c64ed98

SHA256
e50e7a870acd4e7b77b59a57b5c91f5953e3b3ae17e7100e40a1925cc5376954

SHA512
239b54d52ccabd3565d3a82e0d2468428593c2971387c968d6791bea8e09d38861e3b41af79e2574aa16ee7c8db7ea345e0b749b18c77d0e02a2de118aabed7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
182b9e4c8544d8b78b2997817ebd83fe

SHA1
5a144c6348b693bf29bd03e5edcf9ce40d01f683

SHA256
d822d1795215397107951a95762bf555ac518701a18229714ce577edc426fadd

SHA512
16b57eaa6656f0e6f6b63e4994db394719e973b3a27ebff3f6a6dab6f9ea0ede0c214793640ba417df61d6f916ca3232d97d92fd4f266765a4eed5a81a7b7f23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
a70760e5194a494ff8437a60489ff97b

SHA1
92adb14fbc5796c988ce11bfbec7dc9f686b9be6

SHA256
62caf747ffc0ca2431ff49af2ad53a2be2d9cfed47e20d07e4f67e6c8e267978

SHA512
c6b042a3440eb545c3dc57b445100ee4b835ccc147cf7284872574329567f1bf78bf3173ae34996f5654f515b50ffa038395ea92c9b14e44cbe57d19ec1f88ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
2e72af3223fdbbe8f6e54883836e26da

SHA1
96bf1758f2d531d2cd6cb1b8d64cdfb809208a83

SHA256
d086a2e64f01675a76dfd5a9d3bf7347752a4dc0266d8b1f94ecaef81414b49b

SHA512
97cbf03170f74c88963b3a1948058ed36b0ec3f9fc66624676969a20bbc74478cae64dca9b013a6a1f872ef2afe3b852a647f502591d152f78a4d6b60944a3d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7a6dfa26edae0c25be38f3db0ddb5581

SHA1
ee0fb97264148871eadbb70adc2bce2244c909d6

SHA256
642b0a508be02ee63cf6041d9572c525a7832c79f4430244c568839ffa4d565d

SHA512
82686cd605ad8ffd107dd96bd52bc2f4ec33f4d30a0863ab9c436febbc512e420acd7df2ec9c56017f47ccc6ab1ec1f6ca3b6376ce98aeac58b3e6455ce3e389

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
e3d501f478aa96aa602abe55518f0307

SHA1
aec87fc7c8be72f5106f0f515beee1ccb812cc0c

SHA256
b69b8b26482620f69d681f1444f0c4abc24e99d3a0a86e8d8a020a26351e683d

SHA512
b4d3279b25286cb556d2f3853ec1fe18dade579b43be60a076a24d3c303a1de2ddcca695f1ac4551adafc490db1afc25e7125006fb47d75c31d46be496e65291

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
5608ab39de2ca9f2976383f4b9a63564

SHA1
4f338397f53bbe4dfc4afebfc55bc275268823df

SHA256
f4e93df53ac4c16c71dbe7cc145ddf2cf8e3e6eb9fb1b6e9d971cc8166a68df1

SHA512
af839340fed6ada9ba404768d20ac909d18eaae1a5aa75d75a77f17814c79f9a0f018bebd4e30b761c61613ac4c916d94014df135c217ebce59f7b522dcfc496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
17fd029ebcfd2d095b57a608d55c466d

SHA1
800f483e68362470a05f7020b45c75a153b10800

SHA256
88e0d897a66aefa93df462d99f58e504c18ac3b7f214c18fcfb37674df843597

SHA512
e69b93f51c6ece07dfb016edd3575b87116958553e719607fc80ec48b1a473418402862deca468b8cad7a9d7108cf73bf978f65fef91986f6abc0f03ae377667

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7af1b5a334a39f632fb9db9fde61f36a

SHA1
e8382d0f95b34e5e0aa5a90a861faa63db08f9c9

SHA256
51ef19a8ce03cf3b2a1a3545c4a8e1870446d9b661145627bfc02c1dcf365370

SHA512
ca17691b581998a63b5bb6c2d0cd3d31b576932313972ce462db133612490b01dddd16ecd84effc2cbc82578eac7ef67070a0646a280dfacbf89115dcc12c8a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d65542813a2dec9e8a432234fa08b466

SHA1
63b29d0f793cc515bf6ca3238c7e16c33cf02b2d

SHA256
7cd4b737650a7225b183e78ca5fd0a0a974ed0c64c9051500380705c6e3a5897

SHA512
9666546c77bc7dbdd891b7f690f453c3519317fcdda9c93e445991a031e62ae896502ebd574aef2a7169c1688251dabb01a3acd6ccf50766e22e153fa7c527a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
e49bb32d42028e8cfe5a99a732bc2bc3

SHA1
8d9976bf3bc0ce0b17f9eaa575ea5e37127f0686

SHA256
42316ad39be27b153a7fd15cdaeeadcf630a88d8f5701f527a3c95c9f2c01043

SHA512
a8713e91d6e9c46a590c185a0dc2118c6ca0115b491abbd596e6e7eb693a7d3380ed7fb8aa78884f415a94cfa6df8783c82fcd147ddac725a2357ddeff94afb9

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b4fa260483aae21a9bd61915b747497b

SHA1
181db57bf86a3b95e6ff12a6d9147dfdb6979b3f

SHA256
edec47ce4fbb76efc20a3e1af9ce2be390255aeedf033163ce4bd63366c11c41

SHA512
aa5aec54ad9b8914f4f229aa494469b863999d2ca6de54063ae11c36a975a231692975293653331b4fcd42d3177aebf8c1a44d1a49899c835aca4d4ca3622cff

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
6d62c5b163181062dbb5cf8519d15fa7

SHA1
638fbe9ce328b73adcfbca9d65840e8628b2b903

SHA256
ef9e4d96ac0ecf69cd5eaecafae325972d35c7b5271baa12854e7f5ec0f760a7

SHA512
f5f3b850645b3ac6078ff8d1c0624142d0e76a48a1747a613ac65c065dc3cdf72a880994cc02639fcb4e9356955b69a3776ef37b3b38c0bca3ab1fccb3385726

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
391KB

MD5
7165e9d7456520d1f1644aa26da7c423

SHA1
177f9116229a021e24f80c4059999c4c52f9e830

SHA256
40ca14be87ccee1c66cce8ce07d7ed9b94a0f7b46d84f9147c4bbf6ddab75a67

SHA512
fe80996a7f5c64815c19db1fa582581aa1934ea8d1050e686b4f65bcdd000df1decdf711e0e4b1de8a2aa4fcb1ac95cebb0316017c42e80d8386bd3400fcaecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
1.6MB

MD5
ac815ac2c187d53336fb2fe880c608f6

SHA1
91e942d80f7aee5d593fdabfc731b6d98ceb53f1

SHA256
b529ec7aea6b0b7d1d3b78f0e57080a792b069941e78076af8bf3e884192b06a

SHA512
a0573b6ed3f474899dbdf38728dd64ac34f7a2e3022593ae47995338654353db6c7f7e7b48314b31b67b6b52ac15707918870953761c70673d9b7d6ccd3f9c2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\11111.exe

Filesize
458KB

MD5
ba3a98e2a1faacf0ad668b4e9582a109

SHA1
1160c029a6257f776a6ed1cfdc09ae158d613ae3

SHA256
8165138265a2bf60d2edd69662c399bdbf1426108e98c5dfff5933168eba33f5

SHA512
d255da482ad2e9fa29b84676028c21683b0df7663113e2b0b7c6ff07c9fb8995e81a589e6c8d157ce33c1f266ac12a512821894159eee37dbb53a1d3ae6d6825

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
31B

MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt

Filesize
1KB

MD5
a7c449485fb8a694ec225fb43d962823

SHA1
094e97407d17d2db36a107dc1a4fe9faf49a97d6

SHA256
26125bd932e88c67fa822882d0bcdfe27895e0a6030d8d4de8c008ad87e61e69

SHA512
61dc6f79000d9891b26914718178f5523eaab29cd80d8427d67bdae9cda65738414d9a38c95b31e719975f77fbb1a1edcd4e51489c8e7758ca5035060221aaaa

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
568469cf17c349ea3f3bb5c542b43fa0

SHA1
a90cb32f1df3d7bdc985927f1dd877327c8bd111

SHA256
b23bab2913171be74dabb0c88ca1afc7aed454adb4a1c1ebb5dd625c0d953492

SHA512
768fc62f4f1c18bde22c7cc605560419008a913bdfabb56e384a6cd93f6b086c7b3cf8350be3f8aac1e456533fba411bd746959ee1e315031ffc328a39ae18e9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ca77b88ee81d007ff82e64dc1b4e2d0d

SHA1
3934fa0d7a4367828788b71d28cfc2f747b64260

SHA256
d6277d8d0e38541d75a159fa1d0009102d5ef5beea2c015375cc0075bd0e0b59

SHA512
8cdf47394fb6e35a4cb781a49aba18a63a484f4a629be86c259964037a52acc38117b83a9d6d3b9aff11f7b494248aeab974f741091a4d12956d744ed4366724

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ac28c925284fb40aee799676aabcbf4d

SHA1
2769f580fb294da553a2f29bf1d5f3f7daf901c4

SHA256
27cc5e3d278c834a2bc7d3436534671994c9053c842b02f63cfd66d2c3fd5398

SHA512
ce834c0e01299236d3d219381ac1ef2c82801e80c69bde5e972a82a5d3b07eca91b1ccccf03c8456dd22f97567ca477655a2e0a7e392c46338b1b38bef09757c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9df236486c40e025f51d507bfb41d130

SHA1
6a1afe3e211a17205a68a80af1d2695ae947b64f

SHA256
e475e9b85a08fa51239642bd3196ecea588a877073d4533d1c8ecd7027b05fb9

SHA512
ab2fcd686efb7492ad1b0e5f02fe35e8b4fe0eb4b6d433fe5e3350a781e256516e89a1ce40927dd7c0e80e499cc0833ef45c4d31b504560a4bc68a15e39e79fa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
09185d6110c44f0c87288a55b8304764

SHA1
76ad3701df6683cfd9d195c0b9b9bc59cf433451

SHA256
72d87898a5245eafb736dbd18e3b1c30c966d53ca9d97662b4035e275f96c2bb

SHA512
a28158267c0db097a49422b2c0212d3cb75f8c88652e399476c00203f9a961fcb5daf702da6db97d6e4f78830feec3c8201d72c6854062074fba284f11317c77

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8ca358db0475880d875088f122b466f0

SHA1
2bf948cef3a9e5f512364b401f94d7fa2f32e6d8

SHA256
3b38ad97750493921d2c4778667e016f40e7eff7db64d050d13bd78fc0895c7c

SHA512
7a4f42fe79060043db6b61ebd2853c7a6cfe35130f4e7bbffd3c79b6cf7f1b6e73e1e72b12b72c3528d8a1fa3c992ba0beef011dc3dbf7e1b55262d59d4b2d5a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
4f404a6e945f403ce4aefccacbf6b5e1

SHA1
04c8de2ddc058706a9ab0d91964624259dbdde6e

SHA256
27ddbeefa67189ff821b04b413218f8ef84b6aee9a9c2740051eb9565f5d946e

SHA512
7dca834c087c7ecb1e785cfe6ba3147ccfea3c2b6df583516cb97d22cf718b6faccefca4d785581cf6ec367c941624882b8ffb85dcc8658f211e9fe36a829514

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
25c70531102a89f180bb624471723747

SHA1
4c7faa9958d2484d85db12ca024d60a63ca860a8

SHA256
54417a722301f39f843158e2eb8554a447282fe42007817423a409e28d6e144b

SHA512
c564aee15c18016dff18bac4f8214e9a1d262bf3be191d03208d5d4b479d74a27a3c0a1f9068079a2b899dcb194c09bb8adeda8f67493553ecb645fbf8bce4ee

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8b0e55d543ba9944a6704c4a6341c371

SHA1
e7d787bf01f635757f8ab6b5f1a1590db29feae6

SHA256
f001ca387c8909e2dff69e733a4fc8b4e91a44a815487df3846b80d483e216be

SHA512
cf6df206bfe27f4c018c06cdb8798195eaccd44d78f56d1ab5b9e691d6070f2500bd25c567d19c6d4c3b4d8486a72ac7d5845b31cfc5d8c1da7e367da5897984

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
26a3073c9e2b8ef9272f753e54eaa575

SHA1
0e639d960b6205b3e6a3a4420e77b5b7c3b2e8ae

SHA256
ef8378f1a893bff21ce40067106de664b59fdc7e9560c8ded969ad4b0599ec4b

SHA512
23025852d30b6706cd13a07d4fb3118b011b1035898a552d651eaffb1d4dff399b89fc8a2bf8c7e78dd3682bcc59e563ffc7403d7cd9b5552202948d477193ea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
204bdd842fa515802598075840a79de6

SHA1
f677a4cb2b6e40c870e270efa69d6d1acdd73295

SHA256
8d163afda730a6427e662cf7516c57167a16c373bd69187871462bb56cd28f08

SHA512
f9962e64f9d3b0c1226f4fb56a6cc773867bc8c2a0b4cfb94415467f4bd1cb594bee3386c8df03814ace63933f1df6cd5ab4727dc8b191d5da1c4d05270ec3b8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d342e1310e2682284672d7455fd2487a

SHA1
44867cacab35e4c1b3245efbe01a2d56d4dd5a38

SHA256
16c89a549d3586b8da33d5c32186caacab43103a183efe4e2b0adc69c49e23f8

SHA512
29b7337157e7c4942b02cdf96b88b2708f831fa00db5fc90161ef94d73e4080b04bc4edd82206eef2d135c3e835bd2ff749403ebb3bd11c01632c1743926d60d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
014640ec76a8edabe192f70fd6b1b456

SHA1
d0759cd2a42cceb5c3d2e12336c9388427f49cb1

SHA256
267a4bb581e71599b22fc81b5ba8a3ebdc9d710d7631c9c9aa93be4e5192ec91

SHA512
b93e9f0a39f54f6c1580d2caf8434256bbb7124e42f506316aeaa33e64cb20ed337c4a6000e87a4c5b4d911d3da1dc9abeba7551877a28852c0ab8a54f500abc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
b33a785370276be815c18e1240bc512f

SHA1
b793b3b49e07b640a24505ee4492f9966c4e8e01

SHA256
d72ac8496be9ef186853d31d103a32d6eb9104f7fd179e1f23fd26c506592476

SHA512
ad3a15f4187296da6a84d641fa3b8ff62fb8b3dae1e3f81958635ea8dfe263b4c60294964d14f1956ae3b3a58ce9ec8da7c41e52b5b2d1aeb7b0f15a2d2d9f10

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
860bfa158059d7a7b3a71d06b042f30f

SHA1
cb4d025349b1cbed6ed52f714e13cf9bb9cd624b

SHA256
894f9e9477ad3e2a0780a35d98ab6ed95a768ed5ab498750b15e28f32999b40c

SHA512
90a0243f9e45406b6a13e052f22ad2aa53dff9e7520add7960345b7386cff798a3ce79c46b82782feabe06543becadaba4fed2fc201d18b0422be6629c0b26be

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5a7bda1243f7b917be2d4b9f11052e8b

SHA1
ebd2ebc779f332193838de8b116fa0f6bd67719f

SHA256
b98fb0f3cab19e82de6baee1a166737710cf7c880d500ca2cb65e2d8e04f486a

SHA512
0663521b7420220b1bd3dd056ec7b4d827f6eb25c1233b76f3379e67f3ef55348e8c3a6eb370ec5809a78787a9247003260114c4fd7c9d865de40134952df2e6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
60e5936b008f3e9d443f4125c62bc557

SHA1
41122dde42e46f14ba952966dad9af77c371fb1e

SHA256
5bd9d881b534db2da2ca0f64789638e20ca1a140c3685bd27dbdd8210418ee69

SHA512
e1a23d9896f8fd93607e9768c51bdba47c795ad402500bc839517a3a741b130c059ca81ada66e6e6f969b7a52291b18a1a0ed9bb5332c71b774d43e9c5ce8ad7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35d76cc993d3f5698f353ad864cc2848

SHA1
738242e6a284f4e22990884cef45640f8f7bd344

SHA256
11496ced1183775ef4c33a033e6ce2e4f369dc635c2a5388987477d4fe89457c

SHA512
565f17d96223f96d861363f72167d77a5b097c242a6a899f9d4f52f0940c090e8d632bced979cfb7fa2ba89263d738111f51d40920cadf426dd4f247f8f1863a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
25351ab559a08afcae4bc3f72e239649

SHA1
ffec511e0631d2d235094cbfd723aa2a10f332db

SHA256
5f4ded053e73fde2ec9bb7db88b2609cecf1066efa0123be9248f543412e9a69

SHA512
7ab987bc243bf3f1daeab7aed059ac00d0aa5ec2bb220c63f6c4e3ffb504fe1c4ab68d107bbc74a3f850e5d49f1cff2886dc3b59162a4540fd8b25e3a2ccba8d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
65c7cbed65934962983d102eff6eca8e

SHA1
7f7c1e1e4f681ef4f581a415527d948e79a97219

SHA256
4214569cbf8a917502536735b7c2b7ad0900804891a568c19bea7e2dd2c38b08

SHA512
ab837d5527552fead81f3f5cf8d460c4399032e14d425f698d5183d505c6933afaaeeae693f62c28b63fe7ab7e67bd7bc943249d925560a95f7c911b9ef16485

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
626b5229151aee7c6e20401cb1689ca8

SHA1
ebcc155d7aa4ac9a9a172868acbefa4e832241eb

SHA256
c652063fe3266b7cd3c8b8b0e2c8b29b68b70a0c135c082c045875baa115ace2

SHA512
325ff383871c7e5d56a4ddb06b820576fe22a92f191f8f97b5518982f88f5d1dd559b50a9bdfb430eb0800f33228958111bbe83ee89092a3fd1c204484afec7b

Download Submit
memory/1424-161-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1424-469-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1728-380-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1728-149-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1740-69-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1740-63-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1740-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1740-56-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1740-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2120-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2120-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2120-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2120-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2192-471-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2192-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2428-173-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2428-511-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2436-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2436-101-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2804-137-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2804-355-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2904-177-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2904-510-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2904-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3012-160-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3012-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3012-76-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3012-82-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/3096-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3096-234-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3416-0-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3416-6-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/3416-479-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/3416-9-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/3416-71-0x0000000140000000-0x00000001402A0000-memory.dmp

Filesize
2.6MB

Download
memory/3424-172-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3424-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3500-334-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3500-124-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3592-35-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3592-33-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3592-42-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3592-123-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4040-17-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4040-112-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4040-18-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4040-24-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4176-103-0x0000000000920000-0x0000000000986000-memory.dmp

Filesize
408KB

Download
memory/4176-168-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4176-102-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4176-108-0x0000000000920000-0x0000000000986000-memory.dmp

Filesize
408KB

Download
memory/4640-155-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4640-158-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4652-178-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4652-512-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4724-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4804-164-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4804-87-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4804-91-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/4804-97-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5028-169-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5028-509-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5032-154-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/5032-72-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download