floxif | f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02

Analysis

max time kernel
119s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Size

1.5MB
MD5

ba2f58e1802427899637d66434431200
SHA1

2a3bebec53223c71b347b2c6ff20d5480d76b04c
SHA256

f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02
SHA512

add0662b77553cd95e2a9ee3b41fa260c235c4fc78ac521b446bf61d2d9be6bf20f09353051a93e519fb164a4cf51e2baf41d1c7a2aba3fad65aad0807a815b7
SSDEEP

24576:JK2+JY8ZAh73dfJ4yL/tNCJPXUQrPHrrEH7E:JK2D8ZAtdfJ4klKXn/Z

Score

10^/10

floxif backdoor discovery persistence privilege_escalation spyware stealer trojan upx

Malware Config

Signatures

Floxif family
floxif
Floxif, Floodfix
Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.
backdoor trojan floxif

Detects Floxif payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/files/0x000e000000023b73-2.dat	floxif

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000e000000023b73-2.dat	acprotect

Executes dropped EXE 22 IoCs

pid	Process
4032	alg.exe
2900	DiagnosticsHub.StandardCollector.Service.exe
844	fxssvc.exe
4688	elevation_service.exe
2696	elevation_service.exe
1104	maintenanceservice.exe
5104	msdtc.exe
1864	OSE.EXE
1716	PerceptionSimulationService.exe
4588	perfhost.exe
3800	locator.exe
3940	SensorDataService.exe
2348	snmptrap.exe
2880	spectrum.exe
1292	ssh-agent.exe
848	TieringEngineService.exe
4344	AgentService.exe
1548	vds.exe
4144	vssvc.exe
3224	wbengine.exe
4948	WmiApSrv.exe
4436	SearchIndexer.exe

Loads dropped DLL 2 IoCs

pid	Process
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
4588	perfhost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\e:	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\703c259de5a029dd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\locator.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3444-4-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/files/0x000e000000023b73-2.dat	upx
behavioral2/memory/3444-81-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4588-174-0x0000000010000000-0x0000000010030000-memory.dmp	upx
behavioral2/memory/4588-115-0x0000000010000000-0x0000000010030000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	\??\c:\program files\common files\system\symsrv.dll.000	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{87F23B05-A117-4666-BB8C-A9C77E6BFB56}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000193c5877e75cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000391a1075e75cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000014d28574e75cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d075ad75e75cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000674ce475e75cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf48c877e75cdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d42f874e75cdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
2900	DiagnosticsHub.StandardCollector.Service.exe
2900	DiagnosticsHub.StandardCollector.Service.exe
2900	DiagnosticsHub.StandardCollector.Service.exe
2900	DiagnosticsHub.StandardCollector.Service.exe
2900	DiagnosticsHub.StandardCollector.Service.exe
2900	DiagnosticsHub.StandardCollector.Service.exe
2900	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeTakeOwnershipPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeAuditPrivilege	844	fxssvc.exe
Token: SeDebugPrivilege	4588	perfhost.exe
Token: SeRestorePrivilege	848	TieringEngineService.exe
Token: SeManageVolumePrivilege	848	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4344	AgentService.exe
Token: SeBackupPrivilege	4144	vssvc.exe
Token: SeRestorePrivilege	4144	vssvc.exe
Token: SeAuditPrivilege	4144	vssvc.exe
Token: SeBackupPrivilege	3224	wbengine.exe
Token: SeRestorePrivilege	3224	wbengine.exe
Token: SeSecurityPrivilege	3224	wbengine.exe
Token: 33	4436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeIncreaseQuotaPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeProfSingleProcessPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeDebugPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeDebugPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeDebugPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeDebugPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeDebugPrivilege	3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
Token: SeDebugPrivilege	2900	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
3444	f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 4980	4436	SearchIndexer.exe	108
PID 4436 wrote to memory of 4980	4436	SearchIndexer.exe	108
PID 4436 wrote to memory of 3964	4436	SearchIndexer.exe	109
PID 4436 wrote to memory of 3964	4436	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe
"C:\Users\Admin\AppData\Local\Temp\f6e825a12a060164340d6b5c4066ef97eeacadb7ca1856dc9f44446f7e02ef02N.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3444

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4032

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2240

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5104

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3940

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2348

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2880

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1888

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4980
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
519d831f66b5977c7503975a0390bddf

SHA1
deb99f95c2d0fdd8107068d9cbf51dffd14f6593

SHA256
c58f4ff230ea35a56235634ca0110745b3e11a40d67129a3023dbffab3126646

SHA512
652a70b8d49f4af18809022f6c2474350afdd8eb97f6fc2f722d6be655a34be3b189bf809d0e37c9a19267ecaa328fb69e0fbc4a712daea90670b254bbeca9ba

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
d1633d2aee8a9cdf9a2c505daa6ae8df

SHA1
0f9c9614251af486287f66f60f002d8094bd6ba4

SHA256
b68e3d2d84561c3d92ddd670944139675edc6cd5246561e0cd5261a59f2b305c

SHA512
75c4ca49a5760902cba71d293728d5e0485197da43860cf03fa0e64a5c036c03968de5ff3f0dcf693a8c53a44aedf638769da1b99a2cb93c9f30e66ab4598dac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
92c9fe0885c5d407fb8b5f4f70db71d1

SHA1
6b34cc229833c9694ce8f326fcf0a3d1772892a3

SHA256
14aa9743bde98a2e06f3154a4649f8a063c8d1a32f121401eff6943ca11ab349

SHA512
3fd60ffa26d6f3990394df069f3098a82eb0d196726e4e1ef58b54845323ef30af8db73f01b0b96b9008cc84b91eefcf506d79d3275b877cbd2225cf31a37874

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
efa4aae331db31153b3c446ca413c01a

SHA1
f0afe8ab6cd1e38a58521506d2b84ab47a9ea8f0

SHA256
df757e009b1c7f57cce650318743137da36e1e085537d4aee785c09a359b4477

SHA512
56f928a738e65c7db51084c5d486528c9f7d4a44a5652c05d58d2ba09c9c72472c754293d8b0260dae9d30c46adf990de60e492fd175a34dcc788d67228e370a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7e21cb9f461655a381030458771d8f29

SHA1
9f274a4a1ad9f7e81705a76ffd03b0e4a6c02146

SHA256
de1721b5a90b376357ffae8d13208bd655ac143b7f240f50ab0c44ac20ff9c6c

SHA512
81369f7a7bfa2a3a7e5787e463a0db8fe63c72adf0f9cd0eb51483cb410cf16680004bcfafd95c1bb57bba905ce6ac4571b3e310155f792973d6a89e4f6483c0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
005770e93edb7f9de1e3dcbffe728279

SHA1
912147e485c1c8133cc0effef52a83e228297f3f

SHA256
7b98d620ed2fc1df6a86502591f15d14e107d4aac18ec995bd5185f03fa7d4ea

SHA512
68569573feddda9ef4247a4028966df34ca60a66a9d34f62ad737be658866b8e79db01dc7915c045be7fd29325c5edb18b85a07690278d56b9cbe4d207849f8a

Download Submit
C:\Program Files\Common Files\System\symsrv.dll

Filesize
67KB

MD5
7574cf2c64f35161ab1292e2f532aabf

SHA1
14ba3fa927a06224dfe587014299e834def4644f

SHA256
de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

SHA512
4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

Download Submit
C:\Program Files\Common Files\System\symsrv.dll.000

Filesize
175B

MD5
1130c911bf5db4b8f7cf9b6f4b457623

SHA1
48e734c4bc1a8b5399bff4954e54b268bde9d54c

SHA256
eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

SHA512
94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
7e46cfb62e3ee497699470864f716325

SHA1
090dae15da0d843289a83f9477048eeae68e4b6e

SHA256
b9e91b406b676dc91a232e11c8875c1e23a6ca2003c65afe2b303bd7aa1478ba

SHA512
a337c9bf337c6fc32ea8374046a87914ead9fbfc40bb5d29985a574aa073719747c2badf77f4ef28f7cfc9170fb97407cd8c8f8c2492cea205d9421bc9b8a9ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7766178254563770dba325d85bcdb7d6

SHA1
eac0cc46ee7c6a4b725d48872b40d53892d418a6

SHA256
b7290335b310c763f95840863e54dbae0d194b0bc3208ceb722fa0c83f293bcb

SHA512
340a41b0eace5a87fb1ea273997ab9ed3c565554f5f69e66e4374d19cfd153ff4f2c90153e94c7bf9852f42c0925f7d70902cd3bbd18ca2d12dd75b8d23ca9d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
0f7966e95895dfc0142e2e23bdaf2c47

SHA1
d1256cf8d5686014a39099aa371cf8e159d85892

SHA256
5a2f4ae8f0a78ff6303313cb84dca422107532bb84cd1dd693ca4c437fc307e6

SHA512
c27545f79983d8e9dfa882cba98f8801f7e20df315adfac618c6cc0acb2476de72cd7c22101b368e9944d457c3d12de95b965e9c816b359f9fc198eea5da6874

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
31f8c4f6a7eefe12083a63fe3dc57dbe

SHA1
2d6588d5cb11a12251d27f76a077ecb7b3e5b977

SHA256
7dfd1854a80cf3b48ee1c804e0292ecff6c82c6afc161a4c56f666398e6ef812

SHA512
358441414c44b0f947364afd623b478f4cea0799963d12bf09a2937e5322199b55ba7d08e6f2654493916f77387d0dee249e5f75dcc1f0b08fe587274bb82db7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
19cc7882433d3ef504ce7e1aba069843

SHA1
807c46bac5b52fb387ceccaa5814705c7ae1815c

SHA256
2a5c239086533d5492811fe13bf16a9755eb684a74dd9303354d7b54ddb29e9d

SHA512
e24213d674fe9d38811e76698a9391439ab9402e3d3f39d4d1cfdf0937b215d019c5a247722659fbfeaf30d8cdaae8e711c120dfca4798072ed0f52b4f702ae5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
82599fe74f63dc988252bc854fbf8d86

SHA1
47b488b99c62059fdc1091ca64f0588cf6574835

SHA256
e9e355492c8c689c3f7b6a5a5f6ae248c462a0cb6d76bd9587485f93ed3bc011

SHA512
9b40e61b5aba93f148a786dd99ede3ce008d7108c3c6422f3d6fbc86a8bb9e18916a38ef62138ba18c3b605ecd5d88a7f4162afa43c892a462a16a4d5b60b674

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
dd3f55bbe7f5c42c9c620c45bfc1da29

SHA1
d125b6a9d0cde4c384049d99b5b085684edb1116

SHA256
988ce6b1d5a585245b332a89dfc53a6302c3a010da8f8ad4a02a74f26fea9464

SHA512
e2910dc59c39ea862580bb66a4e0a9a623662c81fde63c3d4818718e8964d227168b43f441a938df5224baac95d4c873771f104f88b89a3cb926928388ba1775

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
002798cd06b0de35e3fa458120142428

SHA1
3714a1d093ab6b82aca6490c90f264e8f7d0d80e

SHA256
06b2b4a32feed958df8ba2965e93edcf7be5c641c26ab18cc4fa27c262fafa7f

SHA512
5c4ec5768e8c3fa6132b59ca15079068bc6673932315e601198432725fd961b78a9fed550867875830b0cba301d952a8ef4a9f61c26ad4b56dbfda9233909c8e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3fdca4ce60b9ce7d6b1d675d44ecdd72

SHA1
92755fc496b8401e079c161def0dc7f9b1b3ca18

SHA256
b7c8b7199dac28bfb326a8d77ea1845dfa7e468309e4adaaefdd619976bbd549

SHA512
80c7bf487689fb3cc3a609a95194a2b92dc94e97f30fabe2530f459db5ca325ae980be2c4f497d4f2a305db3f3bbb6ad48a88767f24dc20518062e5ab3051d8d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
eddf79bb449aa947092e60f00e3e1bad

SHA1
8089a68130546a712c66e03164bf76e4348cd64d

SHA256
73948747f49d86ab18fa5400204731ecb9cac9bf967d275c12790bf087333a09

SHA512
54c587d87656ceff7ae46a807967fb5c52db12318d7284ede710ae2e853da3c662add6a835bf9f0d609a0c0c1c3cfc25b107b02094980dd22a7a6a68bfdec271

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
966af08461ce81b4665e648edd6f0af6

SHA1
5183b4cc53f2e866e58c2210a1516424092130ae

SHA256
1ed1f80ab80e96c092d22dbfd96c436804afd1bcb6955d1fb07b0db463a1371a

SHA512
e8528f6c3469a8a9c10165c820c11526d3d6bf800256c9578f2d1febf8f159b4a4a80394cb8d096930622aedbf275decdf8a4dca59bc763a3265d2969465933b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
39ab239c109ff4094c893382dc0789cd

SHA1
004911a2ae0789ea5c2bccbae925a209b7230117

SHA256
4b69ff92f29ac475f5b57a38c3ad76f952d3dfbb5e1a34d536e5b8b6d2ed543b

SHA512
e6567819bd3398c69286fa58ab1e978575199b30f2fed1a4ca9cb52faf41b1cd687c3f484932979b9d78b577ddab2debdf5a450019fec1c43343612ed27e564c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9ce0d67ffa8eb9e57af9ac907eb25438

SHA1
b6603492833d6f695cd587d56d86374248fb017e

SHA256
7c25572f5af1bdfa6fee38ab49fb653084bfdc0c623b480f039f01fb1f5f83e0

SHA512
c336f0b9864e26c216f37bca8ab33834a943c13c67c266c565356fd29ea7f2e62c72a9d105f331497f0d7e25fd3a8eab0c33c2c7d487228dc7a08cf2d5776a58

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
48530f5a27c7e189e3927b86cfd5fc04

SHA1
b78639a069c1599f4ea80c3c54a590265ef6b90f

SHA256
38e4416bea43441db5c5a45bdef0aa9f351c31f5c596254ecbe117faedf2a652

SHA512
714b4801cdf1bcc528e7c5f9b257133ac546d318a57735821f47b3753e0d7ff632d91bf377295cfb5de1d60223482a329956a04e9c1e81b3899c9877f9414443

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a5406e7e451b49cfe40e57891e233e80

SHA1
2b0ba0cfd52c24a7862cac17e83edcc62ded25c8

SHA256
1afe489ec41b397eaa3fc756bd79ba5b8dd5a40f3044361885b956e7dfa3ee32

SHA512
880cd90744b7bd5bbe55d8b0d21c818e70495ed6cc508260c2a7bc10f6de93da0bbd818514eb7d55196b86340408d0fd17e3a79576c122e0bbec66f52cd69203

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0dd4a036ee2e65da70ad1679a3ff9376

SHA1
9bccc57bce599e1b12ecfd682f0718ad884cf6dc

SHA256
0d95930470964a0ae540cfc84910241f3befe2a1467d37d0ab2c9bb6021ba87b

SHA512
2eaefa28900555a714775ad1a255db570f382a1c87b9f732cb96506a9c220b8188e6661a595e5422197f3981890ddc38777816b0bf6a307591752f36f9fac70a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
391907a05648fd4c58a3ff733d6cbd57

SHA1
4f2d4b25fe94a71705c5091562281285c5b7c93d

SHA256
313e7941543510360e17b4f82113b11cc56a9c42b444e9e1c5b211850b8e7998

SHA512
e3b2c8eefba89719bf04b61f1869591ff5fc61b016a815676e2062f93b1af447508efb6a9f55edea0e798fb09942abe2e6e0acf080da808b8b5e4298b21ac577

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4f597ab7f692c7f2f869748b2936b396

SHA1
bb0f24ee032c8377e0a00264661a91e44331c60b

SHA256
d5a08269ff2e774094ef4c6cfff32c1d63ebb1b2019bef394c344da65e683176

SHA512
42c992c58ce4b29335221c3421ed035c0252c5e4d1614d01fe605f8324c7c5e7d68687e1fff352dddc758932fb1984c69431fc4b6eb2cfcc71d23a1e69af5059

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b487fa9059c21195c1b162d0fcb1e0bb

SHA1
28859b30703160b3857163d51931c89a6e0c3318

SHA256
570183c6360f17637557515dd9cfb53a01bd094f84493a46d36ab2be44b0b28e

SHA512
d9fda0edc20f6a30ab44ef8924f995faacdc0a8988faadc8437867dc166ea5a2c2f3b77787d15f19c0cc49a0ff57502b5f0dd5df89f81a0ec8ac4dce49e0154b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
658cd02fba22431735e61e274c4231c2

SHA1
2d68de584e93e83d65624546a0488d8506da6f1e

SHA256
ee59d9e111b3b4d98e77c6d6e137995e8f387f5285e75f0c8eda09a76543ec55

SHA512
6e88d1c3cec0aa5b1a61b47d250374a1e5abd5145528945543a7ae4b1bea0d8810cdb540c732abe41287ccd973bae0c44d21d5ca6994f75c42bb38f2d4cda1ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
9773050a0b409224da3867298419abbf

SHA1
6fba99e47ce2c43c42215fa5bcc7d5322ccdf1b2

SHA256
45ea2a8773471426ae54b9d723061bddcb34873430cafc56c1daf705099c448c

SHA512
2010a10402f3cac754268f78004cf518d846a7bf584a89a65f66d754ef40ce1294d0ce9f99ad9d3eec796cf633b0689223779872e574995ebfa9dda9427e05f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
2c78af5f3050c7160a24441ec7002053

SHA1
e4c9a93b0f9667f45f0c0d3eb0bea600efbd442a

SHA256
7415e9533369e5de59b03d79b934d221846bbd1161f1db341068fd4f677f1eed

SHA512
c09df72d030b277ef8ccf15bf2e38c4008ce939b8eef7571a3276b4896a4b3a8678a328c224a282c5579c3ac416998f2ffea3087ca8431441d94546afaf05e31

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
8ea6d4c28eb4619fcecd9719341a464e

SHA1
5d0a06e736a5931bf38f54b9d7af3481840462c9

SHA256
9f1adb715a06175b009f52aea57f2ca39135317fee3a46a8a6bbd894926ec04c

SHA512
0286ddccbe2e14d838bfe064f10fb9b13c34e23c60db696ce98ee0018559decccaea2e81c648b4bed27219bdcfde32ad3e50d237cff0102c5ae1fcc72fc87c4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
a782d5a50c9398dc8a0e3b3c080e4997

SHA1
7a3eb9a8facb30ad34d3fe2c8230eeb95d5f961d

SHA256
94a58079814e88be9b40307ec94f033b6b9f5229b0e1273d72d5fc31634f52c8

SHA512
b9bba9461c937f57e1294214d1aef5cd429278df156cc72f4c108c208b1e4adeb5cdb38685fcbeab0730303672990b4976feca99b24d46185f74ced647012781

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f9d1123f49dcfc15fb9db3351574c9b8

SHA1
ad8ae9cc4f8561a4a4cfa678452191a179d0af1b

SHA256
2db3bfef4c6889b73a232952f26258463e2900976dbbfe3b67783cbe64bde21e

SHA512
c987ea340074a69142b0e2142b915d7370d4c7e2d11bd810c425684f1ece876350527f3b98ce1784fc9b5f689e4e74c53cc313137959ec62691facd5bb31399b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
f422adff28afdf2b77624da8552756cf

SHA1
70dae178326da449df4674eafecacc5b56ea81db

SHA256
aa6d999cb5fc1fd6077759d05af34f5f3b2cf2676994b4f8207a951d48b68f01

SHA512
08a0b2f5af6afd55705636c36f07695231126616a6ca253b451c029a8e156c890934de0263fbaee62c52fe1992a8b7299a31ca830429a2226bf4d41e03c9368f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
98ef9e1d01f27d632f488ca7a7c2114c

SHA1
c8c68cc0ce6fede10e745874b64396f464eb0321

SHA256
0f17ec6386aef33cc52d455b48b892aa39751fad83d995f58661ceac1dbea883

SHA512
b0ed5d888ef7726a026926d84f6541b6bc3543e599a2ac31b2f8ff4e24bc7385e3ecfe4b48d886fc00dc191f20030bedab8da31830b237f190880c82175fb06e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dec2784ed95e28393b474b770eef4c87

SHA1
90580869dfbd25fd7403634dd987aa3d1f5f36de

SHA256
6fa0ce5ae7f3faac597092d6d0c2dfda48e6b134a703fe64fc80e0d373cca3b8

SHA512
8ca8e99ee5826998ada0ccab2ed3d4cf9babe8716a0c3a2610d91cae300b4b568675c10f4a8c9a10921d0a5dea08c1627f1392891d7c56792fddea3320b413c3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
a2e345cbf412f023c71d794724ac97bf

SHA1
87a98b71c116e5eef717781c44d7251602ac01fc

SHA256
7693a462a169b7047d06a04d4e4dcf40381a9c554b1c37d21f16e227ec3e19e4

SHA512
711057f224f654ff0c4672e6ca31e7b9783d197403d27b9c819f7c3510ecbc4306fa60f16f4cd7379b53f6f5c56455786f8f481a93735432f8305f3de54c2cd6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f8646b8c267877afc9af48aa1be9b3ca

SHA1
75c78b11278f5b710630627f01dacc0e8c6cd263

SHA256
a4151e2147a0723251fe716eb1a7c12944664ae03f39d6429b3a7f646607726c

SHA512
43506478a8a09cf5c0973ed72b6097d6f36053a6b9fb2ccd56b48fc7dfa13668b1a45c16995a516ca4acee08d5a02536b3ca87c7984433d12c59e1504c0b980c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c61b93d885bfe14c494e5a8edd4739c2

SHA1
8400928995c9a7dcc96dab388fafaad40fb8dde7

SHA256
f87be4a916408b4ac21d77f55fb73682fbcd8bd50a69d0dcd7d148eda6ebb464

SHA512
dc19da5b0a30e9d3f9fb07cea9ebf343488e6fcfebeaaae95617e52653aa1a15af49854f145c3e05210dc2e2c53a695be014bbb5cc711dcf485cbf3bc60e1017

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d53f93229fb5b21e336b5a617e0722f9

SHA1
3b1e60f149546deb378790568b90a0d391d0adf6

SHA256
a366c97dc7169862fdeaa4151be3703ca1a986b7c7056a843d79244c108d165d

SHA512
03ba104513715188bf44f6f305e95a564c9bbe8046458b332cb2ce994ce0d0aa087fedcd2753a2b07f4c5bacad9326d13096d9b09781440399d87fdb57ce64b6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e3cf3b2e4ace5d85b4ec1505103be9c9

SHA1
0c0881332f09b837f8ae980e2a0e98af4b732bcd

SHA256
9e0162aa513404c7be81c75e75215458706c27edbea2df7407431f871f42a1f1

SHA512
acdd7f70e251047762c6cadc3fbfcfeaf936788b1d14144c697623dac4ebc78a561a410f912975ecf47f425431f980d221b489c6703ed64d8f0ab5405f1482b3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
5535b3e20586272e801232904205b78a

SHA1
011c32b7249747576cf0644ba1529a48a69b51e9

SHA256
e859cbef8a68747c3e42c2d69619332a6db500b753b5454a5702b91405aef029

SHA512
d2d23f8df626bd7da05249d7cf81bbd8e9f53d634cedfad1736f9a8cdb1a0c3aa1199332d76c9f9e935fd17c451d3594d0fc2fffff2f7bcbcf09a5c84bfe44bb

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b15e99bd3dd46eeae432a674e213eb39

SHA1
1c20ae8ff51af2c7e02ed7e2111b9812fa228ece

SHA256
bc35ceee785c33760bbc121d4bed4461fd4e443eb78e395d5f2cbe2516cae747

SHA512
f99a2da2f24e03caee207a8e42b5e9772116d93e19624bfcae22b27d06e31e490fb39ccad7199fcfbf3ace5bffd1ae7b352d236786e33b485729fb5204038203

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
e7df3c26995bc8c40fe8ae15e0aa192b

SHA1
50547807a9076ec56ffa8cdd8caffc70580abc52

SHA256
111cdadf30f6f4afd30775b58dcdb22393d271e948586ab37fd44dfd54126843

SHA512
b8f23d93aa2dfd4715e4e447038211482f6fa50276fd1c2564ce0f5c8c4942333c74950cf47f090fe462494f9b1fa47e4d93a4a67a411a1b7fe1ba35787ec6d2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6d37c7c34de4bdf13ad5abad03ad00e1

SHA1
5228fc839ae9adcf1e094aa2b52c23251a3f85dd

SHA256
01a9a9696adfb0a6cdb1baf1e8e77a448d89992964bf810568773ed9bf9fc9d2

SHA512
a8eb31ee383029d316d9af479daad8443998d7cd1ab95ba0c0e6c17a7664ab2ed6d6d6fc9d290de18568769835ea82ae2dd26318d3c15485c1c7891182288798

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c0b8407c9b00fc7dd1422cdc41b95692

SHA1
e23779f3dd99401873fd1289b91296ed945a1dce

SHA256
8be9a7fcc9ebd2e85769f515aed35c987340f07fd5abb7bab00bbaa65b8c070e

SHA512
9a912b01b08a4c4aa283342ac50eae902659c495e78fa54f09f5906b4b5ae8c420ae7f45d6b1aa6eaab03bcc418b88483cad6d6fda00812ec89257efa540beba

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
89db3cd8b0204a2036acb1d25066e839

SHA1
8b53451345710ff5b3c946476e52451a969bfbc0

SHA256
59b15b31276f3441087e522c394cf39c379bcb3b0d32b2fad701da9a80b83c3b

SHA512
fb5440d89ed341df1926dd2c1e37b0039879a5b13e6e34350f61192a75dbb685c586862b46190a8d85f90650a7f7c72fc19ebf26875a6afbf2e71abf5afb7b1b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
547e0fccb45e1702fae6748de65381c3

SHA1
1a23b95d5afc878f7a2e95cb09b2a2f71617933f

SHA256
ec10e699f240304dde788fd6b45865d78c2d2f9c71c0d653e99a76723b603193

SHA512
495c0393f63168382152686e5d08dea26ed49967df924911a0969fe509581de6f02e1a444e5ce3a3073dc6cb56dfe749830f6985d4119ca2c7544aee6b70ef66

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b1835afcb6f8dff09d2ec149a47c3b53

SHA1
ad354f702365a1f78a308a9be3a579f023ebdcbf

SHA256
7029b573833b68ccb552759d8099bc39a201d5f633024e42118d3caa2c025577

SHA512
fa47ca86510fbd0466742522d94d3ece6c8e86a0ccc9a675de01f3195f5f4ac352df85229c66fccc5abe358118deefd9a2d45380dff26cc0e8afe1c10485c422

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ef3ff9299a972fe0ec532ad5fb44780c

SHA1
706bfff923894fa76e6801fabe54e902e15abc69

SHA256
df588e3a20019ab0c08988c03d513afc8ccf9f9950d61c232e50c73f53171043

SHA512
bf6a747a98bc4c9d634663408373def83fc6a657327b9b1a1cd64711da8af1d330a4f6f6ac4911a5a7e09eabd8b1664eff1be9787c2be2baf383f5f894942a1c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
bc997126839769efa859a9ef6ca76077

SHA1
04592b691c17ca1fd05fd640ee288d15039319ce

SHA256
8aa6f475e3bba77da99801a53c5717f90cf23bfb51123dd4571f3861aac9028a

SHA512
b119aa4e1b8c682e5ddda078374d1b931a06cf1826baf64b055eed5f94545152ca90907802ce0423554d71e51d9880ac351688e2294d89a02a35a98fada07fc8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ee50ba5e5c49bd2e2fca4269d6bf1224

SHA1
08cce91b61047f26288d5ac5ca2827baeb6a1929

SHA256
8906c321bc1f8489c063b85118e375cfb3ebdada708e623e48d09d6c315ab0c9

SHA512
310bf3bdc3b55e916a485a78fd0607c679304bce4182ceb89e8b182078870621cf9c3e277a59fd665d0bbd30d178afe0b78ebfc37feb932e14a6f930d0b08537

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f53a3a2237c320d72d2094182439f9fc

SHA1
9fb8b40a17fbbd301922d13145926e2e53bc16c4

SHA256
eab851986cff18a941d1971bada47c54c4091614d6c470123b697c13daf17fef

SHA512
b8254ca438d2ab7d855fc0935b07c197166730561936cf219ef6b04f69b6fe7264505b9de15a24ac6f57ad2e5f83697b8c7c2546ea84350a04f67da70bfd6d50

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
d76d5a8d7d78869dfc94992f00317d39

SHA1
b4196f68e9de6234d6fb7eac4aee109b064ea6e4

SHA256
5d6c7086948d27e1112d82a94868c24f9cb7678c56cce19a4c8b33df8d9c6730

SHA512
97d81b089171be136b2964e042f8cedb6531cdeac3dc9899142cce64767672341bd93e721f07d50317923e54ba2512c22fb82418e32c6cb17523ccb9ffe5966f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
12a11d2ad05799de8c04b3e4de4cb3ab

SHA1
c3f8ebb58b6488946b2e705817da66f8c10a637b

SHA256
683028dc68dc0fa0c107ce08e64406e041625596807b6b00dc55766698581422

SHA512
94432861a71fd8f4a6ccc4979ff1d3595a4914ed6c33c609157069c1a34813f453ca2acc82c731f05e66444556e42d12b83d3da710408ed278fd6113b905729a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f6101c9c92456dd003364790ebed63cc

SHA1
78dc353eebc5776643c94e6fe40354d504fcca86

SHA256
e6aec42d613baf32b33ef9a90a8affa5afdb82002c545a5c3945d18db9e9d5f8

SHA512
f351ce4aabc08a3cd59f1f8345dbad4091114e85f4fa0c62822175c4f64e7fc16051cb198c3e432e422b24078478e5402a17da442e0158c641c0e4368e1af3f3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3baf84b075350746e3a4e9a1f0265de0

SHA1
40d1252e8d90b02a6efc060eea78cd6081d54eb3

SHA256
b179056b303b0cd8d6e6521f1273e29777cb7cd9decc83d7eeda6dcc068b43ed

SHA512
d6b6e550049957854faee1a2d76864990954a1b0f733b478bfbe01e74cdbd758158e99b16615dfa391762a6d7f1cd5a2096028b491f4cd02777a6553b5248215

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
913af0664eacd85a3f4fcbe2d7a74a03

SHA1
960cbed4946957a2e9d69f1615b5c9d51c6b865a

SHA256
1b2506bbf8d055fe71c1281860d9e7c12ac150d27e5139e65c3cd81a2558bc12

SHA512
38f326eec4af120e5c5d330c3e3a4d997c5fd2be1745327b5ec805e39a1cdd045a0d9e0125e5ac8fd1c1261ba139d43464a02e6aa7076cfd8af4b8dc8c194404

Download Submit
memory/844-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/844-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/848-322-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/848-162-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1104-64-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1104-70-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1104-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1104-77-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1104-79-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1292-158-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1292-293-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1548-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1548-171-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1716-105-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1716-99-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1716-98-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1716-170-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1864-86-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1864-92-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1864-95-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1864-164-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2348-254-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2348-133-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2696-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2696-144-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2696-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2696-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2880-258-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2880-145-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2900-30-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2900-22-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2900-31-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3224-455-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3224-179-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3444-4-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3444-81-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/3444-75-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/3444-0-0x0000000000400000-0x0000000000613000-memory.dmp

Filesize
2.1MB

Download
memory/3444-6-0x0000000002440000-0x00000000024A7000-memory.dmp

Filesize
412KB

Download
memory/3444-13-0x0000000002440000-0x00000000024A7000-memory.dmp

Filesize
412KB

Download
memory/3444-14-0x0000000000422000-0x0000000000426000-memory.dmp

Filesize
16KB

Download
memory/3800-182-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3800-126-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3940-130-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3940-186-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3940-456-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4032-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4032-97-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4144-175-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4144-436-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4344-167-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4344-165-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4436-187-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4436-493-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4588-115-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4588-116-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/4588-114-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4588-121-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/4588-173-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4588-174-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4688-44-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4688-132-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4688-38-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4688-45-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4948-183-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4948-460-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/5104-84-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5104-161-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download