darkcloud | 8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2023 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
Size

1.6MB
MD5

3d1072986b88dc6184e40ba0df6acfc2
SHA1

3dced4443af3c9591c948c827ac5b02bd0d31029
SHA256

8992b94e147a940a1da05b11631e28202c50840902fa372690485b49c415e4b5
SHA512

6b072f7e1b617a1426faeffdc14b80259f2601f29f5df65953694917cfa9611379976424ec37ffe3d139f5abd1bff02146d968f6a47d96d57ab4de1bb32a626b
SSDEEP

24576:rPKokfY5HGAg4y2oLeeHlQFwSohxt3jIwYg94ZIgUZ8K5BEuww4sXpA5jp9DTS2I:LZWY5mz4yJSfu/9IwYgeJuw7sX0jpd

Score

10^/10

darkcloud spyware stealer

Malware Config

Extracted

Family

darkcloud

https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 22 IoCs

pid	Process
1844	alg.exe
2588	DiagnosticsHub.StandardCollector.Service.exe
4260	fxssvc.exe
4612	elevation_service.exe
3444	elevation_service.exe
3136	maintenanceservice.exe
4036	msdtc.exe
2760	OSE.EXE
3820	PerceptionSimulationService.exe
4724	perfhost.exe
4732	locator.exe
3352	SensorDataService.exe
972	snmptrap.exe
4644	spectrum.exe
672	ssh-agent.exe
1172	TieringEngineService.exe
2656	AgentService.exe
1696	vds.exe
3788	vssvc.exe
516	wbengine.exe
4816	WmiApSrv.exe
4436	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ffac0b9fea807a0f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\locator.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\System32\alg.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\System32\vds.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\wbengine.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\System32\msdtc.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\spectrum.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\AgentService.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\dllhost.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\vssvc.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2544 set thread context of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005db54ca8c87ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ef852a9c87ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000315893a9c87ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038071da8c87ed901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ceea4a8c87ed901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b1b311aac87ed901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
Token: SeTakeOwnershipPrivilege	3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
Token: SeAuditPrivilege	4260	fxssvc.exe
Token: SeRestorePrivilege	1172	TieringEngineService.exe
Token: SeManageVolumePrivilege	1172	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2656	AgentService.exe
Token: SeBackupPrivilege	3788	vssvc.exe
Token: SeRestorePrivilege	3788	vssvc.exe
Token: SeAuditPrivilege	3788	vssvc.exe
Token: SeBackupPrivilege	516	wbengine.exe
Token: SeRestorePrivilege	516	wbengine.exe
Token: SeSecurityPrivilege	516	wbengine.exe
Token: 33	4436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeDebugPrivilege	3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
Token: SeDebugPrivilege	3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
Token: SeDebugPrivilege	3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
Token: SeDebugPrivilege	3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
Token: SeDebugPrivilege	3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3952	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 4772	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	89
PID 2544 wrote to memory of 4772	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	89
PID 2544 wrote to memory of 4772	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	89
PID 2544 wrote to memory of 4532	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	90
PID 2544 wrote to memory of 4532	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	90
PID 2544 wrote to memory of 4532	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	90
PID 2544 wrote to memory of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91
PID 2544 wrote to memory of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91
PID 2544 wrote to memory of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91
PID 2544 wrote to memory of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91
PID 2544 wrote to memory of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91
PID 2544 wrote to memory of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91
PID 2544 wrote to memory of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91
PID 2544 wrote to memory of 3952	2544	SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe	91
PID 4436 wrote to memory of 1644	4436	SearchIndexer.exe	118
PID 4436 wrote to memory of 1644	4436	SearchIndexer.exe	118
PID 4436 wrote to memory of 1864	4436	SearchIndexer.exe	119
PID 4436 wrote to memory of 1864	4436	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"
  2⤵
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"
  2⤵
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.29310.32138.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1844

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2588

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3444

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2760

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3820

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4724

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3352

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:972

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4644

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:828

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1644
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 924 928 936 8192 932 908
  2⤵
  - Modifies data under HKEY_USERS
  PID:1864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2a006cf883489c8f505f50faa1da7030

SHA1
a3319c2804b1385b18cc99545bb4060936004f8b

SHA256
0b774af7faf19a73f6646a606def25eb81cd557153a47b458dec68e3705d14fc

SHA512
d2ce6e9f2a9ea5179201826f44ffe66e2b7913ea87ccee651eefa8efc536b5ab9b6aab54aab45c348a7f236eb5b216aa7b77f18187c84ae8fa0638fc22e4cca5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
33652f2015b675d08ba1ea87f954480f

SHA1
f1a3865b985e647ee38d6948b02d33b5c7578a72

SHA256
e1b71035854dc61c323f0a41f3dbb5aa4a71e5002ec2da6e7c01503a442847ec

SHA512
84048cf0da9ccefab0dd4012128553008a0c8460f179f0fe4d3db14b362d060f6ad1499eed29bba119cd05682edccd45f1ff206143360e6362ed96b710cac574

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
115KB

MD5
08115c21d9ff7bf67a3f18959060205f

SHA1
93a023b0235ea02693271cf2396b8575e0912f4b

SHA256
8cb551ee466ec692c12606d4b95b212a3beb1c41e21e64cd17609cdc30431886

SHA512
c611e06ed06d2df0767807db7abc6fc3497205fa85af21ede2be5a00b6d0254fbc14020de8da9258647047b2a96c694b1751dac724ca5cb04ebd989ffb225862

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
0d0fcbcafd0e242fc2a2c03634ba8efe

SHA1
f5b946cc537dfbac1d6c99e2768ad7d8c4cabab6

SHA256
afbd8fd3ae835a8bbcaf25cde3c9c5eaeb43ad71d10367e7ef68e66a77f2b055

SHA512
370c1333645282a7e5c3089d67b4a1d22671b3bf29d3b451d1acfaee35045a1df3cb382b5fefde8e1e960eae63cb5b458be4b3bfe62a272cb43d3fe6c4bfe62d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
067d3210b7cd3deedb89c4c88f87c4b2

SHA1
8ae9ecd76ca8857ddd57d2802e537a330c0b4b4f

SHA256
beda9335387d84ffa3caf6d905a73a9b219b16f751c8234c25b51064c25c75ff

SHA512
0ab14d976e271bea7485e155079202961cdd189957dc34f79415c982d61fc41d515b6d3e7145f297255908bb76d5e80966eef60b39d6db4000e1b04b7aac3279

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
64KB

MD5
bbc40a2bce4a7b6f3cb79105ac8900ab

SHA1
41891d263a95bcd18ecce1a4f786803dd3f36428

SHA256
22b7563c2a258ddf7f9966d1f5108c9d3a03031429207c7b2740e5841475d6d3

SHA512
ac07b3d15e4c2a5ff6813af02a4199cbb464abb86c5667fceb010372f25eac6218d699cce63be87a50ff439c33584af5902006abdcf49892cc5b4e7b9f728f8f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
64KB

MD5
9aa7043bcf790978fbd1b03f6d8c1ae9

SHA1
c796e18b3a4db215605b08530f4b312a850707b0

SHA256
e21570d5c8e4205c40ad202d95b71855af73ef40fa382077853029e18073e5c7

SHA512
c2b080909be3cef666a6879689d91d24526c33763e390e478f44f599bc03952bb5be3ef14675cf9159afb08881f247ee8dcea6f138f39c0be82297765d5ccd25

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
64KB

MD5
5294ce3027c2cc4176f0b4fca98baf12

SHA1
10a87f4530129e287061519a2f6b8faf62679a0e

SHA256
7d3823a88b3915e372a1d8527d7417136d891bfcee981c63dcd9ac83d0bf959b

SHA512
e646592367048d8e955ae4c788439aa19058920565756539f5888713d062521d794c0d0ab3cbba92c84ec2de13a6e784cfd71f5d2c46acb5ff2e8cce4dba0a65

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
4020619d9b7bb2e9b4b1edb91a06c8a6

SHA1
c664d60110843bf051f97f24219df4c28704d7cd

SHA256
cf5f3483a004a73cf4c153f9fc2f386c2748895f6e241e905d266ac6fec0c509

SHA512
f07412259fba0bfe36c37cd60fb6e3af1f475bef0e7107964412319a71acd96ba161d48bc85bf8dbe1b7f2943e3d41c01d1e2b094c6d1e34503475ebe61bce75

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
072030a2796b7d520fa4804cfab4efe2

SHA1
dcec67c5633570cc8960932c93ad030fe5d37416

SHA256
ce30523efc68a9342b1a4c84e4541d946a2fd93fe9a8080deb64c87dab6a4493

SHA512
64a36bd53cf35d370150f1149cdc68261d80393906f6f169aa1ff60ebbc06819ff32a48ba2030570ae0ae55148e15c3039e010431e4d97740deb06000e3c3be1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
97a28ffc81b1ff11826a6f2e35140626

SHA1
d782299659aefcff82e41d4e4a0a20186a6e2796

SHA256
2ffe97fe4024d1b2de134af63eeaa6243599643494c4678624d3c0bf569313f2

SHA512
b3340a152c5e74c63f678bc8d257d46560016993944bc74f7b0771a08a246b4e552f91e3fdf79e14c1b0bdad1f09c6ddd8b3d61139f64de047f51af47eaaf9a0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f371e283704b2bd5cd25ebdaa6d190ed

SHA1
92626e34da33c088439cd2a04ddf24c14d00d1d4

SHA256
047048a935b63cb8beea1b45435be9c17dd61cb33f111ad3d2305a39ca7587b4

SHA512
986dd212019c028f625989f6b3f3486abaad69b964ff30db6fd02de3ef683407a6ddb963d6f6b6c2097fbda47c379bf4cb98d1f69f5cbe061a28fcb746b05465

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
95d6760aa48d209227280596aabdac61

SHA1
fcd2793ae28c21ba17f6e8a3fb38958c866770bf

SHA256
34206d7b656a28bbea3cfa290ab02ad829a03957c8ae0e1fc766187e087f568c

SHA512
bcd9126eee02fd6c2611f8ba3cc72ec78af54733e7e39da19643a6ab409afb3d4c66fdf952b94a2277245f49ce28c4cb09a5e651f6ee90b05da51730fe43fffe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
749fe5c44e8c36cd2b2b1a36b3de3d7b

SHA1
fa13d3e87881b7da45ec474b5eeb7ffc11db2ba6

SHA256
7cb7a6e2fbc914d505d5816c73ea9ba804448b6ee3765125e8d545dd62f01827

SHA512
be0c55ab80f1293534f7e74fe43ce158f000d991c0c3cd3e826612c503b2646009d05b970daef13a58a8a1aa34f180916f6634343d409cee3c7da2aaf8836401

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
749fe5c44e8c36cd2b2b1a36b3de3d7b

SHA1
fa13d3e87881b7da45ec474b5eeb7ffc11db2ba6

SHA256
7cb7a6e2fbc914d505d5816c73ea9ba804448b6ee3765125e8d545dd62f01827

SHA512
be0c55ab80f1293534f7e74fe43ce158f000d991c0c3cd3e826612c503b2646009d05b970daef13a58a8a1aa34f180916f6634343d409cee3c7da2aaf8836401

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
712d534f1eb75b10f76bef4a4ab5e51b

SHA1
830181c128931456ebfbc1fa3fd603dfec21e9e2

SHA256
972e1856418da0dc5fb726e098ecbd09416667a19b53197a5dbad3d475928ae8

SHA512
110267416743a5c6408f7afa12ba44db212266998b45c931fb53a1be2d27d624275dbca86ce2e12d64969e7919ac7d754c789c04e159e92a03d52def94d5720d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a594de02c20d879d239761a0252c3d60

SHA1
2d81671b67c3aadde85eb6f89367ff91a2936832

SHA256
d4ff1282097b17d4f290bd6dad91a69f160e408aff0f5d868416737a922e38bc

SHA512
39c7375b9ae37126646f1996bc914049fef177202fd53623e71845cfa3b84655f9e6f70d0ddf9b1f053d2e1ce3d3edb7e2d4b1e2a56c7c57995f234a06a6e408

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
32d741869d6594548a4727578f9b8777

SHA1
1eeb8f5408bcc843359de01ea4e4cffb26322a14

SHA256
f8441cecb08607246f24d8588f282a56f4d919445d2c46f67e0461d5190520a7

SHA512
c6ff32a9c6b38ba555d74279dfb341838e6fc02fedcfa42e57218b140eb5f70308d35f515af30490d7d61ebd029ac63ee7d67c648bbe068b2c8a54d10a1f89bd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
512KB

MD5
c1d8cc5de3cdd3bc3aae4e2611c28f71

SHA1
a2c8ab0865b1ed0b0fcf0917bbcd5bcfb1c2b708

SHA256
5ef7edc4ecc3b2c41e0ec71dadf03be8b70ccc778542c535f8cf6126526fd8aa

SHA512
66901145f88b9948308be8c8b729a202cee2e1d4ff19b4c3f8d5376f111379a0fdbdc08ce6ef798468289b37fd1a1c93518237fecd1dda0903451b7b90f8458d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
8db87e618da5b33d66eb7a70341582a2

SHA1
609b556923e92b162dd7957c20d2cf221deb2411

SHA256
40fd9f69090a7357cf7f1754a25ea08e2a136e81403b7188828154f70eea697f

SHA512
9f029430cc431cf6da2690ff91a556ab8079895fe64c6a7df49b57c90b610389bbec5e0b61ba461e939445f6dc655634c7928883c78317e730b7058c1810e7e6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e0a76f0532552a9dd398b7569c960228

SHA1
8b584035b4e7b61912f49a1f8416a182dedcfec7

SHA256
162fb2e11d7867b9e67f2c12cf760c92deafcf32eb6af985bf2ec20d01608361

SHA512
8c9cfb374f03ff045673541a5ad6359f2ccf30478f56e947e0b4d1098923858edc8aeebb8c502258ca8dc0d7ac6c9ade70b3e7e580177a5d8ea8c036208bb1b1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a740ece32f6cce0ac0af1d1d47681b29

SHA1
dff7b3c8939bd7fc55d980a556bbf3c1cfcb5e8b

SHA256
63075b0002f539afa02c5a0d72514093ab698a2b3b25cb67ca1390c00b827276

SHA512
5322b6d6076b2276bcdf3d2cdc4e668c2cee47f4ac9a61c3dc3151183f91882439a0c54609354a9730c3615a14ff3ef52b743f2745863bece1b9c8e1eb92616f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
75d2eda9aefa11dcb9aa17f178bccb51

SHA1
9ecef98a07ed55e56fd0b225ae2d0c6a427268db

SHA256
628446d6b7d660841fc35907165175ec5801653d7817885ba7107502f6d66f46

SHA512
b80cac9c46ea02b9785060163db949e2786bf7745a408c6f285f907b2600ae2c66636fd717c3207bb74a410aca6d2f91a4a82fb321e6437340f29f956787abfc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
06851909f581f7a84a178f95102bf74d

SHA1
5ee682f492a1688621e5e20d1b84902846a620f1

SHA256
cebd356c5a6f6b46ae5def8a453d8dffe84d28d38566dc1e9e003f0dfa7e9d36

SHA512
0d9ee5818ae4f2b5eaaf0b29500be4277b5e4e6899e66bd95100260c4fb1249796752faaea9533a7327e9d4cc50bb28f5d33d2fa3b607e222aefd9774d0a252d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ec6f03dd2f8ce3cb9be7c430435f74cb

SHA1
8c79f6c71f58f935516b13ea7e85a642508061d8

SHA256
1667ec884906a666d4abcfa961f35003df8fec6fe13f104912e031b3ad46474f

SHA512
4272aaafa057bf1d2b34d9d60160d80dfa28df245eddd7faed04d38981e79c1ecf06b03ee453981e1c1164d1d64671a8f6d2bd693fb68374506ddf926a75d2ae

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ec507e7533e931442c92e2e83054acbc

SHA1
91daf3b883ada6e7e7b3638036b44e331c55246f

SHA256
9e4471cea5aa3d2598e013e9fb2407bb607e90cb9532693937e4745e103caf34

SHA512
37ee227b51bd2794f5f4be0091e71f9d592a9d7bfa5e1d995110379d603cf23558d3491983d16da9ab574b758d39ee2336f0b55d073ad730b3e47664d49cb76c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
385abe7657d36b71786f8b4793a5fed3

SHA1
6a0d17cec06ceeef702b51edfdfd944bd4e6ef48

SHA256
87cb2768582f61cc7ef01e745e83650139df1ecc903808ec939709f4d3052da3

SHA512
a85bbccd9a3895d8d5e289fea6efc5e290021264f030790f2827d5cedd20cbf265fd522d7f88c01403805a5c592689bcfac3019c337b5a30f186c5cbd7bcf3d7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7ab2d38960c9e76e5d34f0baeec31c9c

SHA1
f171b3db7d9e94bfe2035291b47f2ce05fb78d18

SHA256
155112f10b6353e764f6ad5d0b1a1b73602a544b7b0dda983ccc7203053a22d3

SHA512
626ecefb9041c7adc87f052e1f10007399881e07a6372a8692a9026807f832af246addfdfa2a40f96f637116b0b5d02d6131259882c852bb0a38fb2eb117af21

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
256KB

MD5
bdbbfd34621f88ffdfc29d39318e1ccd

SHA1
1feb1874f632f468a68a4f193614aedc4a5b45b9

SHA256
34f520cdba5d5d74c4802de4f01a719ff7d7049443eb1b305251b8e6786305d0

SHA512
c3d797142eb920c29b720e71597ccf89bc5722d4ddfd453542953b0f698c187f33b7adec1cd76c0a9aa28cd234a15ab04d6a30bf6d960aa93ca8591b2f6562fd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.1MB

MD5
00cdb477331ad186c8033fdbfe2d7c32

SHA1
0d57eb41e90bde61a2009577cbfa8c3c1e784e76

SHA256
8a2f9f26d2da1eaa56c2c8686561922e3e7288faf13bf96046fb88c72d789a95

SHA512
a1cc248c2579c0933ee9fac88e00fbe41efefb5e1a6d677136a7420fe993f622c740c34d0e5084a74b1689dbca89d8bb45f2ef3291b6b1ce3773de0171d7bcc7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
605KB

MD5
f0d96188907857e4fc61530db7fe9581

SHA1
34aa417f3c1286e2553063f41ef3474260118f48

SHA256
3c3b393c28b3513832580e9a14bac2b34b061ecd52142f57172bdcfb771f8f0e

SHA512
06182a97ceaa03a34a5d65dc751945bc58e71545cce7a47d77e63f40276b8d101a5d60e5ad01e9a5cdacf6d2aad6a06b2bc6b13d979473acbd9644c9fac8ab7f

Download Submit
memory/516-384-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/516-593-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/672-333-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/972-310-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1172-335-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1172-570-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1696-378-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1844-162-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1844-156-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1844-172-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1864-627-0x00000232A71B0000-0x00000232A71B1000-memory.dmp

Filesize
4KB

Download
memory/1864-688-0x00000232A71D0000-0x00000232A71D2000-memory.dmp

Filesize
8KB

Download
memory/1864-639-0x00000232A71D0000-0x00000232A71E0000-memory.dmp

Filesize
64KB

Download
memory/1864-626-0x00000232A71A0000-0x00000232A71B0000-memory.dmp

Filesize
64KB

Download
memory/1864-638-0x00000232A71D0000-0x00000232A71E0000-memory.dmp

Filesize
64KB

Download
memory/1864-741-0x00000232A71D0000-0x00000232A71E0000-memory.dmp

Filesize
64KB

Download
memory/1864-740-0x00000232A71B0000-0x00000232A71B1000-memory.dmp

Filesize
4KB

Download
memory/1864-742-0x00000232A71D0000-0x00000232A71E0000-memory.dmp

Filesize
64KB

Download
memory/2544-139-0x00000000089B0000-0x0000000008A4C000-memory.dmp

Filesize
624KB

Download
memory/2544-136-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/2544-135-0x0000000004BE0000-0x0000000004C72000-memory.dmp

Filesize
584KB

Download
memory/2544-134-0x0000000005240000-0x00000000057E4000-memory.dmp

Filesize
5.6MB

Download
memory/2544-137-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/2544-138-0x0000000004E30000-0x0000000004E40000-memory.dmp

Filesize
64KB

Download
memory/2544-133-0x00000000001B0000-0x000000000034A000-memory.dmp

Filesize
1.6MB

Download
memory/2588-455-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2588-174-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2588-168-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2588-177-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2656-356-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2760-254-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3136-215-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3136-226-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3136-221-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/3136-228-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3352-520-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3352-293-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3444-211-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3444-224-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3444-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3444-485-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3788-382-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3788-592-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3820-286-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3952-454-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3952-140-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3952-143-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3952-144-0x0000000002EC0000-0x0000000002F26000-memory.dmp

Filesize
408KB

Download
memory/3952-149-0x0000000002EC0000-0x0000000002F26000-memory.dmp

Filesize
408KB

Download
memory/3952-170-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4036-252-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4036-230-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/4260-195-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4260-181-0x0000000000E30000-0x0000000000E90000-memory.dmp

Filesize
384KB

Download
memory/4260-187-0x0000000000E30000-0x0000000000E90000-memory.dmp

Filesize
384KB

Download
memory/4260-190-0x0000000000E30000-0x0000000000E90000-memory.dmp

Filesize
384KB

Download
memory/4436-608-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4436-456-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4612-201-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4612-193-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4612-196-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4612-471-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4644-311-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4644-542-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4724-288-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4732-290-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4816-401-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4816-594-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download