darkcloud | 9644c370f8d029005b9ab653ab47487d24fcd626abb3f34157e2fe31e617edc4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2023 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PurchaseOrder202319876.exe
Size

1.5MB
MD5

9b2f59561115406e4be61403a0add295
SHA1

3068c0d984638b73a75f568cb49557543c344b59
SHA256

9644c370f8d029005b9ab653ab47487d24fcd626abb3f34157e2fe31e617edc4
SHA512

47f9b8352c0f75decbdd3734ae1916cdcd1720406b442f5210166e703585b12edafad569a7f687c8c66741aa786a6319e382aa95c83580ced345768dbd3ab939
SSDEEP

24576:jQ3UElRshsEyPyG7cYYKLTl8+oyVryispex6Cn1rwUMpuPpowgbeazV32JNBJOmB:s3UElq6EyPF6KLJlBxscfrwVuPpyzmh/

Score

10^/10

darkcloud spyware stealer

Malware Config

Extracted

Family

darkcloud

https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 22 IoCs

pid	Process
3440	alg.exe
1528	DiagnosticsHub.StandardCollector.Service.exe
5068	fxssvc.exe
1420	elevation_service.exe
3644	elevation_service.exe
3476	maintenanceservice.exe
3460	msdtc.exe
404	OSE.EXE
1336	PerceptionSimulationService.exe
5000	perfhost.exe
3936	locator.exe
4624	SensorDataService.exe
228	snmptrap.exe
1736	spectrum.exe
5076	ssh-agent.exe
4656	TieringEngineService.exe
2424	AgentService.exe
1652	vds.exe
4300	vssvc.exe
3964	wbengine.exe
3876	WmiApSrv.exe
1284	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\dllhost.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\msiexec.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\vssvc.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\alg.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\locator.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\vds.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\wbengine.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f29ee737c94b1c77.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\AgentService.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	PurchaseOrder202319876.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 524 set thread context of 3916	524	PurchaseOrder202319876.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	PurchaseOrder202319876.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	PurchaseOrder202319876.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PurchaseOrder202319876.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b124c59b77fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000325c7959b77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0b3925ab77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2d1cc59b77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003331945bb77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005558f559b77fd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fc2025bb77fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002258ba5bb77fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6b97362b77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d204445ab77fd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007907635ab77fd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe
3916	PurchaseOrder202319876.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3916	PurchaseOrder202319876.exe
Token: SeAuditPrivilege	5068	fxssvc.exe
Token: SeRestorePrivilege	4656	TieringEngineService.exe
Token: SeManageVolumePrivilege	4656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2424	AgentService.exe
Token: SeBackupPrivilege	4300	vssvc.exe
Token: SeRestorePrivilege	4300	vssvc.exe
Token: SeAuditPrivilege	4300	vssvc.exe
Token: SeBackupPrivilege	3964	wbengine.exe
Token: SeRestorePrivilege	3964	wbengine.exe
Token: SeSecurityPrivilege	3964	wbengine.exe
Token: 33	1284	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeDebugPrivilege	3916	PurchaseOrder202319876.exe
Token: SeDebugPrivilege	3916	PurchaseOrder202319876.exe
Token: SeDebugPrivilege	3916	PurchaseOrder202319876.exe
Token: SeDebugPrivilege	3916	PurchaseOrder202319876.exe
Token: SeDebugPrivilege	3916	PurchaseOrder202319876.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3916	PurchaseOrder202319876.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 3916	524	PurchaseOrder202319876.exe	91
PID 524 wrote to memory of 3916	524	PurchaseOrder202319876.exe	91
PID 524 wrote to memory of 3916	524	PurchaseOrder202319876.exe	91
PID 524 wrote to memory of 3916	524	PurchaseOrder202319876.exe	91
PID 524 wrote to memory of 3916	524	PurchaseOrder202319876.exe	91
PID 524 wrote to memory of 3916	524	PurchaseOrder202319876.exe	91
PID 524 wrote to memory of 3916	524	PurchaseOrder202319876.exe	91
PID 524 wrote to memory of 3916	524	PurchaseOrder202319876.exe	91
PID 1284 wrote to memory of 2096	1284	SearchIndexer.exe	118
PID 1284 wrote to memory of 2096	1284	SearchIndexer.exe	118
PID 1284 wrote to memory of 4392	1284	SearchIndexer.exe	119
PID 1284 wrote to memory of 4392	1284	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\PurchaseOrder202319876.exe
"C:\Users\Admin\AppData\Local\Temp\PurchaseOrder202319876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:524
- C:\Users\Admin\AppData\Local\Temp\PurchaseOrder202319876.exe
  "C:\Users\Admin\AppData\Local\Temp\PurchaseOrder202319876.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3916

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3644

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3460

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4624

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:228

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1736

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2096
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d724e4367df183c230f9be681577611b

SHA1
952df21862bda1de5c0915ac9dd537d55ed96cb0

SHA256
007e5c35a20ae332cf93ea88c6b8ba813c47533718c1cd6d2113e9995c2ff13e

SHA512
08878ad3d4296c8f7dc2a8f2a3b51abaadf2e7d7c696a21740af4d8d2c45100d91dc612562760c909dc3e74c9b7a693f3b1704fd1ad06c11878632f0a5746b1f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7522b4c893e17e1e3a0b188a83cab6f8

SHA1
ddca1c5fba5549d77fdd30a05fd53e0a8e7391d6

SHA256
802db481a25b8ac2f9c1c66e9d8f210bc58c4a9f2ca55e26bdfa660bb4e31de4

SHA512
9705431647297faa5ab4687e4239e3e339f30c77385e0b2c7b4d937ca114c8a61a4fa73bb4fa738d66a428fae599a99b28467d9f88de18c209dded31d8fc4b47

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
09b4440521d8aa73ea4dfc0a4ea4feaf

SHA1
918884df552bf8e03f60ec2aa48e9b70466b55f7

SHA256
1407556f314940a9857ae5a01fd8fbed01d8161532a1db2dbc76fe1bedf7ac3b

SHA512
cb234c9c0636e42006c24b372c602ad98a5d887e8c969cfdde1feaed30cc05c71fa2286a6806313e4e22dd9bcc538f03c0d906f0583404c1822d851b505040d9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7fa663a9486b337e2a437a35235afa07

SHA1
4e9a12d92f1ddec334bf0f803b54ba8fb735d007

SHA256
fbb74b084fc4518c005bc2c0c379f8f29f8d9b2dcbfb34ea12f1d89ed0a75f81

SHA512
900e81ab4d12d4f5071a6c178e86a04a71b6766a59092aad871e5a617fa09ea3cea18fd52d491515f2e7f53ee83a366a36161855801cdfc1fd651834e4a31d90

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d8c15a538b8a5b57d561664151b441f9

SHA1
9ade62aa1dff2e5db61a1146ac4c4b42ab8b1dc4

SHA256
cf27a97fbf2b41af76578dd1278df45ed5b1480b953501f31c548f2b50b84ae3

SHA512
26702d8077797762ed2f95cdb3e2e471de1bcf8ea1f49a8f5cc16d4637bd4310b6ab0c3c7151ae5f9bd5e6de9851780f22c76159e8f2247e3943614a2dbbac1b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ce9bf31d22ba7545ff55c5a13e9e03a9

SHA1
85445bef0c7587bedddbccff0561e29ab74bc969

SHA256
d934e6a134b329867f6869cb9de7da965d706e3fc323cd3655b0dc928183219e

SHA512
f2b15330846adf8fb5ee2602f0364278ef8964f623ff509c6b085be726df39a56ea99bb0b2b8ace1aedfc97a845fc6832546a95592d9fe2f92d8c6936f4c70d6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b95c72985a765a842c1d6cbe4c77926e

SHA1
562f8f32015c2f7a5f61feaf53f14ab8c665ab6b

SHA256
5b234a9cc3907f24c440be8fb418511fdfa645168e3dcfa64b46a4416ec5e998

SHA512
da7cad8ef59a5a94d1e437f0af3f5de216c2de96c885f9221b5ab10a1f853d35f35f8b4ac6319c7af1372b0bb99d9e38dc7156007c4e519ed93eecdb075ff06c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
4d3e3b3719dbcaa3e92adb142a5c03b2

SHA1
208df553558bdebd25f033e8a5f01ff058f9bb8e

SHA256
53f51a9a1703aff9270de857ca541b1b6acab3d2a9d7a4832d3b0bf48dc7c72e

SHA512
b2717f7f24624d79875c3ca51c44add65b5143cce168fb890e13087e8365b69d345ece9557601fa69f2f99259ce0fd1d977f0e7ed4a020ac9ac36d7a8acf4604

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
e7f844fcd78c58e90ef6d4bbedd954b3

SHA1
65b665cc9608cfd4eb03af85cefb581c099d9058

SHA256
09ba93db1d4cfe9762464b09274d0d8b082ff268c1ecd1c299c15b6863f7e31b

SHA512
4779a04f33e6b3a8b431cd1c672ef60c0d5a8b343dd175db11b623f9f456d2bed3ccaa3c5cbf3d00d1fd1b1a8b5ff8b4ad4442314a7ce6aaa0b21527466b5ed6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
108b45d611988c76119f3e4f7472f5ad

SHA1
a7b1d8e57de535718d74bf14f0acd20e03fb74b5

SHA256
e2037551416b74714462f708201cdb2b63658e59123401f688b4c0a1b1318c1c

SHA512
8a7482d977b96889a7377af3a881856f8f2a2fde30567526938ae974f293e2d959504111cc5db6bd9107154b2b5cc8cac777a7c497bb0de7699783032db988ac

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
108b45d611988c76119f3e4f7472f5ad

SHA1
a7b1d8e57de535718d74bf14f0acd20e03fb74b5

SHA256
e2037551416b74714462f708201cdb2b63658e59123401f688b4c0a1b1318c1c

SHA512
8a7482d977b96889a7377af3a881856f8f2a2fde30567526938ae974f293e2d959504111cc5db6bd9107154b2b5cc8cac777a7c497bb0de7699783032db988ac

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
ebed1108dd24df2f0c97e5dc6c3556f8

SHA1
e2033fa75a96d86dfff3dcd803e38378c68c13f0

SHA256
802868dc666c00dbbe924f366669e3e4ce1cb96327fe2dbf8ef3d71922cf097b

SHA512
74bbf3244e5da4d6a9f9897443f02fde372b0553ced3423548b777432cb0cab55cb3631639a65ada102021e6d99fe80c517692f30c82c64f2b7b75c0bfc7a852

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5ccd5ac8671b5e872aa5f188ef1e502e

SHA1
8e9afed86270c86425f36f9082954cfb209100da

SHA256
364bec6e03b173bd8fa106ac7f972bc513c3c24e608ec39db21eaee1bd59a3d1

SHA512
e4b4340f7934782b498c5db9bd698a90147c282ad184c124c09f5ded7c8cc11c01a715b3428c6d448c0927d1be03d439ef63fe1bbf7e00f2095238ac86f79711

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c04d2f85e341b9027ffbbfbb160831b8

SHA1
baa71e30f9d730d72319690e3f9f327b34f15f7c

SHA256
8ccaecc2cba04f7aae7208381323b0be3faa33fded05bbd2d1ace934f3ea3bfa

SHA512
3c87d52fa3d4647197babf022ed26633fadf498639ebb0164f05f4dcdb14b7016823f0197dffa602d04757890def12cb81409b2a0fe4eaa1dc7426b7337b582c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b6aa2cf58ac87cf84c0209a7d46dfb16

SHA1
d4a875870c1b15ad0594629d25fdf05882d14ae3

SHA256
df794505ef3ba6fbf4a4f3520130379cd8e0089c2a4bc4ec8c694acf12e0d11d

SHA512
e12ef12a8577127408623442a15a28bf787a69afd2df24aef2c8d5e8b3f5229a09a89a211e1c663080654ab7937c468e9a01fc454aa570207869db07cfbdfaa2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
6ea27e5ba43e0cf4dd1c0e5bef1e5f31

SHA1
ab54bb3a50b06cdf52fc58aaab0244c0a384bdbc

SHA256
025b78b75ac033f6a6c87b16992390ba48ba7737ba303c245ecaceef5094ddad

SHA512
1b365ffecc613fa70f94106eff6d942edaafae714cd5d32e72150895dbc8aeeb92122dc4e2a11ee1ae86432cb783b3c3ea04d9f3752c90b6076f98f5a2fc0455

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f8bcfaa2c7e8711af01eb4d26a9fa533

SHA1
36317d3ae9b63a46a0d4177e1f30976363a9ae67

SHA256
223c2118d4e4e4ab216506fb78cd1fb6c84bd957e0d4a837542a75e61a1bb79d

SHA512
07623a0ecc0528db9c856c04d5d771c7ad82ee413cc07c8db2f24296c464a3afacb84cacf4adb8919f1b1601fccb0fafbadc20ed340695c7d666a6fdb89a5001

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4e9ea5a683860ac43d3edb56ac3b20fa

SHA1
c51b4159a7d2bfb082a9316e88a1df7aac721235

SHA256
458efbdbbcd85ea56b5eb349bc5ca1eafe763e3dccff8fb46b120629c81ce55c

SHA512
6ec5b24721fe553381fbafbc514d9a622d9a6ea268f793f0f0e36cc8b8c07bb18f449030a1856d0afcf183d4630518ced7d23ceb6001ebd3515ecbada5ccdc56

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3998b0e33052aeeb4ee4a48712865f37

SHA1
0ac4e836d51668236709fcfbb009e1d2cad8a7b5

SHA256
5387f11a778b84831630e5d8748d95b06fdb243d21e17fac9038ad8da878f3ac

SHA512
e4607a450381b6b135aff174efd066517189460e92eff9bbb6aa1b5b1ae7952143ef3a91d7946a317c1256f2b630ac8290a7327a277330bd7be30b35beb257f8

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
016fff2044734e2de516c10d1c44a042

SHA1
d622b3fcef3310dd24fbe3952ae8b2848674711d

SHA256
29bdcd13d62056783fd7a3f369a8c432a3aaf3cf1f6f01b56f0e8f85de090a6a

SHA512
99b66e87ba81d1a82e25484fb5a64602ed7b7449e8e84ef0599c432ec66da48314c1b644170fbe1005398d81b78efb309c897a04871f8df208f08b582bb10529

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3d62c6b5fb242ba04c4ebb514c758bf9

SHA1
0fa59de88d44daec39f7bc6846489ce8fed117b4

SHA256
7240c6e510b67cd0c5073ec4f3ed87e4256c86adf7f313fcdf8d2a1ce6dc84fa

SHA512
0b708a7f1fcdd3b694c80cdb29b6c65f0af60ea88d88083d4789d53e1f317d357256b639acad3fbddb9e861dd41d515e1027624eeb2a01f75613184d37f1e56b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
05430150e088b7525b00abe566ad4f71

SHA1
dde9b458d8f5a60c273f9a4a4eb2befe73691cf0

SHA256
4ca8b1f95fd1e177132dc6e30dbfe7c5147e5b1151ab8a6fe3046308232b967d

SHA512
2c040faf09a7e962dde7ac958862c7d3e7c85a50f93a370f8bc5fc4211e52833ebf14314851e4a3f9ab223611db6bcd82d989161c8ed0060daa4fa1b488563d4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
45d1f362611bcf004405507b7bd477df

SHA1
1b90e4abaa1e532a55702b1384bb85138b597658

SHA256
fdeb3969c4ed4c6cc9f51389a93343b1413de36a9113fb68628685334522d77b

SHA512
e47ad3036f652fa0edd06d9574be2300a8353a5e73976e7d7ae78ed5a5a78980d186d4b08ad0dc1d8261768b7cee488ce78d6021e564752d27831931c0d5d602

Download Submit
memory/228-319-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/404-258-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/524-136-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/524-135-0x0000000005B80000-0x0000000005C12000-memory.dmp

Filesize
584KB

Download
memory/524-134-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/524-133-0x0000000000E90000-0x0000000001016000-memory.dmp

Filesize
1.5MB

Download
memory/524-137-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/524-138-0x0000000005A50000-0x0000000005A60000-memory.dmp

Filesize
64KB

Download
memory/524-139-0x0000000009F00000-0x0000000009F9C000-memory.dmp

Filesize
624KB

Download
memory/1284-495-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1284-413-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1336-262-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1336-275-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1420-194-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1420-204-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1420-273-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1420-200-0x0000000000D30000-0x0000000000D90000-memory.dmp

Filesize
384KB

Download
memory/1528-272-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1528-169-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1528-176-0x0000000000490000-0x00000000004F0000-memory.dmp

Filesize
384KB

Download
memory/1528-177-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1652-360-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1652-493-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1736-320-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1736-491-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2424-357-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3440-163-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3440-174-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/3440-157-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/3460-255-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3460-230-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/3476-224-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3476-227-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3476-215-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3476-221-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3644-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3644-211-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/3644-229-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3644-274-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3876-412-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3876-494-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3916-154-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3916-143-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3916-140-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3916-271-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/3916-144-0x0000000003740000-0x00000000037A6000-memory.dmp

Filesize
408KB

Download
memory/3916-149-0x0000000003740000-0x00000000037A6000-memory.dmp

Filesize
408KB

Download
memory/3936-293-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3964-390-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4300-389-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4392-637-0x0000018DE6C80000-0x0000018DE6C81000-memory.dmp

Filesize
4KB

Download
memory/4392-648-0x0000018DE6CA0000-0x0000018DE6CB0000-memory.dmp

Filesize
64KB

Download
memory/4392-701-0x0000018DE6CA0000-0x0000018DE6CE9000-memory.dmp

Filesize
292KB

Download
memory/4392-718-0x0000018DE6C80000-0x0000018DE6C81000-memory.dmp

Filesize
4KB

Download
memory/4624-295-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4624-482-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-343-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4656-492-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/5000-270-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5068-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5068-190-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5068-187-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5068-181-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/5076-342-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download