darkcloud | 847e04095e646bc56458e498de0e8741d873b777567a0372b59d27d4f1d3b625

Analysis

max time kernel
146s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2023, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
Size

1.6MB
MD5

26267aefb12de3eface8ae87dd5d4a6d
SHA1

88aad0f963f04e283183f6fe02db0b9c384f2df4
SHA256

847e04095e646bc56458e498de0e8741d873b777567a0372b59d27d4f1d3b625
SHA512

38cfec123689aeb8fa3a628f5a99132686b171871e799790b1e9a891710b1cf53f518f523baa67bf5bac527e2370ec759957bbe23cbbcb555098be687406c833
SSDEEP

24576:lALd9G4jLamVOjHuCB3G2Z9+HCr7YJ/38yT/BFqHac0J10307SGMjo:S7GsGgOLnB3j/+c8PFTpgHP6ahG

Score

10^/10

darkcloud spyware stealer

Malware Config

Extracted

Family

darkcloud

https://api.telegram.org/bot5955632087:AAGbHX-YygFpBeOiEaTfH9CY-2MMNrZcY48/sendMessage?chat_id=865011046

Signatures

DarkCloud
An information stealer written in Visual Basic.
stealer darkcloud

Executes dropped EXE 22 IoCs

pid	Process
1388	alg.exe
3452	DiagnosticsHub.StandardCollector.Service.exe
4688	fxssvc.exe
2088	elevation_service.exe
1640	elevation_service.exe
2480	maintenanceservice.exe
2140	msdtc.exe
4492	OSE.EXE
3516	PerceptionSimulationService.exe
2008	perfhost.exe
4192	locator.exe
3888	SensorDataService.exe
1164	snmptrap.exe
4768	spectrum.exe
3668	ssh-agent.exe
1908	TieringEngineService.exe
2296	AgentService.exe
4688	vds.exe
3448	vssvc.exe
2440	wbengine.exe
3876	WmiApSrv.exe
1700	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4e55a44ec9ce9937.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\wbengine.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\System32\alg.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\AgentService.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\msdtc.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\spectrum.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\vssvc.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\msiexec.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\locator.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\System32\vds.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4628 set thread context of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{989CBEF4-A34C-4AE5-A19C-57B2F66BB278}\chrome_installer.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a54048c4483d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fb1a18c4483d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023eabb8c4483d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f806f68b4483d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006dc5958c4483d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f5e01924483d901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001f4b8924483d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac28798c4483d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d8b5c8c4483d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c2d1c8c4483d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8224f8b4483d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006fb1a18c4483d901	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
Token: SeAuditPrivilege	4688	fxssvc.exe
Token: SeRestorePrivilege	1908	TieringEngineService.exe
Token: SeManageVolumePrivilege	1908	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2296	AgentService.exe
Token: SeBackupPrivilege	3448	vssvc.exe
Token: SeRestorePrivilege	3448	vssvc.exe
Token: SeAuditPrivilege	3448	vssvc.exe
Token: SeBackupPrivilege	2440	wbengine.exe
Token: SeRestorePrivilege	2440	wbengine.exe
Token: SeSecurityPrivilege	2440	wbengine.exe
Token: 33	1700	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1700	SearchIndexer.exe
Token: SeDebugPrivilege	4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
Token: SeDebugPrivilege	4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
Token: SeDebugPrivilege	4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
Token: SeDebugPrivilege	4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
Token: SeDebugPrivilege	4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4036	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4628 wrote to memory of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91
PID 4628 wrote to memory of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91
PID 4628 wrote to memory of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91
PID 4628 wrote to memory of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91
PID 4628 wrote to memory of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91
PID 4628 wrote to memory of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91
PID 4628 wrote to memory of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91
PID 4628 wrote to memory of 4036	4628	SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe	91
PID 1700 wrote to memory of 4300	1700	SearchIndexer.exe	118
PID 1700 wrote to memory of 4300	1700	SearchIndexer.exe	118
PID 1700 wrote to memory of 1040	1700	SearchIndexer.exe	119
PID 1700 wrote to memory of 1040	1700	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4628
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Lazy.338484.17766.6491.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4036

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1388

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4476

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1640

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4192

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3888

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1164

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4768

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2072

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4300
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
752d092941555c645b7ac500cdea4b07

SHA1
b6f7a82b674bfc3115273b47e09c118e07af6821

SHA256
c292c7563106a60ad047fc1af66968b513dc932c00d866f61cc90bb6fa08f4c8

SHA512
b828c00ffa23ab2aaf3864e607565641445b4e181b74e919cd4e9f0de2c73540ea06670ab6982157a6b95455c943ce3d8ac12da9032a619b8ee8aba89f50e8fc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
2b4f2672da70d3296f7f7ae5a8bc36de

SHA1
92c408034a4d5e05585ceb0e877f7772969109f5

SHA256
8ad9c92ad58f5febaf6ce78dc0f6fa63b29aa6173675c6b2a15fe2279f4a4c26

SHA512
06ff036d0b462de02761abe84371903a43589c4c8aab8310ed5a6bd0caabd8e8c8d68ba1860ffbd045c6d3179e56e6328179dc455c7d35e080f360449d56e43e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
19c6384624ecfa103332a1510137649b

SHA1
334af6a5f149b08ba9c6d27953358f41dadd260e

SHA256
c3434902a054328d59232df89713d4f3fd0b6dbb261760f526f4ff1148dd74ef

SHA512
6b34f4da3c86bde91df955d1b2df8f4dfcbd50e76f0000df106847619ac73be15e20e1c0babf784ca90cbd2597259c0ac94a7d45583f8a7a16eefaf10784581a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
a3b4337fb052a6bcf6865deacd087aef

SHA1
91419405259e9a3608bf84c8b2f29989bf52ddfa

SHA256
fa3f35f0d5dbda5907210c5f4fde11ff2e7ccefdf774d3485a9da564cf1cc4c7

SHA512
a4868a55861be1df4ab5095eeb3ac702eeeafd15417696f977cf171c58b42f52a347d646261f07b59961c110f3a2b756474a8aac4d89ca9155950fb56a79bd3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3c3dcb2ed6df9bd1fed5bf4161cacb24

SHA1
bf5f994cc401f145ce0fd95626f94a45f636eaa0

SHA256
6ba18e923450d492c4fbb25a0663a9d66cda662744bdc6419e1741a0544f39b5

SHA512
8345cbf0dec655de08a1089a3f2ffd2266fd6008342174732a75fdc96c45cb2398aa7b8989de30a5abe834918a0cd87b0ec577d71627057783c5cbd6f7f91c2b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7a14cfc5f60148120800845338f1fb32

SHA1
5c325697f04bbdce0af0b5b6afccfbad9d36b1b1

SHA256
0fd117c17f45321fb6fa4a256131ff4ec1a558dee52f0d7d8a0a9d868e4d502d

SHA512
23c5fb33bc5dd91b3de048f019cf1178050c0ac748789bb4b98085848aee72e96e46e9899b3aee0d5b8c1bf1b7dc3b935660eb35b0555794769b917e11b5f9ae

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
13f744cf5cb20778a36043977c32fc96

SHA1
75cba4269f1fe22cee84526afa403a9147639c98

SHA256
103a9de9d801c39646ab8de67e3c51f88ad90b67fbae7fcfad4cbfe5e3953589

SHA512
93252d03988ff32b6b1eef6e3ae3b5c35f8a2e15cc3e9a9463cc76ecac70a8c42ba207c93b067faecb6b7403a01a6acd1b5f6902ccd5c9b081bf1fd3ea703435

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0ec898b89b8f6232dda061c1573f931f

SHA1
8fb48920f0dffbff27e4c5cd067bbbb500962f59

SHA256
525086df2412fb664356778cd53859e55d9867550d5a41b1b8e06e21cc6bae04

SHA512
fdd6283165f8d52c4bdd6fcbbd12e0c0e25a832467c2d6f1d2883ace572a830e238708e5fafcd39e2c76649b2d481a1e8f9997f2659d4815a65abcabf7e38306

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
96d6c3db3f9aad920c661792d398c7c6

SHA1
7efa11af272329d9d6651fe96950d628f3a7986f

SHA256
ded70f97e4f9e80bd0f615fcbacc61742a9cdfd88d1880734521f25c195bd6de

SHA512
cb37dfd763b0cc269b0aba723a55443fad024897a18eed284377893a2e7c612270069aa9d6dcad6366dd3b4c57878482f9734257e39e8b1088bc1660fbf510da

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
269dac50c1645a37018c04968b6a6f19

SHA1
71b5e169f29a001382ef419472d39d320030ff62

SHA256
b7f78a9c2c5dbc5de7f3ec286624b544b76f8e038a906d160dfafd10bcc9f381

SHA512
6118c5a06926c46df015fd3402be971a8e220a18f7ccbfcd72d266385c11a87404bd130608ea4287dccce768f1eebf1e429668227c14e2a48c1de583c3fef459

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
269dac50c1645a37018c04968b6a6f19

SHA1
71b5e169f29a001382ef419472d39d320030ff62

SHA256
b7f78a9c2c5dbc5de7f3ec286624b544b76f8e038a906d160dfafd10bcc9f381

SHA512
6118c5a06926c46df015fd3402be971a8e220a18f7ccbfcd72d266385c11a87404bd130608ea4287dccce768f1eebf1e429668227c14e2a48c1de583c3fef459

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b7b335465eb2665a6dd90cd28dd61944

SHA1
908c41f2733ffd9e191ab298fcb73079359baeee

SHA256
e6dab8901b6cf945b3b027540f9c8079755b715e2401286602c7e1f23472af99

SHA512
9bee10f566f84bbef3c31bac54c3ce9ba8b8960069a4293272f859624fb924d4aa1bfe63ef02bf4908d79a2d82c7f39f40f9fac09641ca3a5a1658e00bc857c4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7d0c9f0160bd7419bfbe87fb2fd4e2cd

SHA1
51380e85d695e2a5232615548d76ab496d99e9d2

SHA256
4ab39b185e7e96baf94feefcd72ec885a4b4250bcfe4dcae2c747b992d64ecef

SHA512
19397dd9da81380515469371660035b6499fbd99b278b17e4e642bc623594b22b613ef87684c329bb7bc45ee4237aad0dd38d7c191dfeef014d9b005a335844b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9046a9933def6a8f75ba4db4bedbb539

SHA1
325bf1f6f3ccbb14bad1ba039f696c565e5a8d3b

SHA256
7218bca8c1ef2e9930ba2b989392e4fc3223e5f7e0cec58ce27f229233074d1e

SHA512
20d90f58993a6cfbb23ef019796b020385c9c1ee87b65892c066fdd08fd61f4f40b3616b916065d22c4901b0ea168951083f7656033f36413c2e5e5d976fee51

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
869b4bd2b62d0662f09a11c77eb9c660

SHA1
15b607cec8d44a3834d4d856d7700f33f019f41f

SHA256
df9338a977c16ecf9a473b54ae7487376c2cca2c43d74e1754588edbbb268e82

SHA512
711bdf0eca98388a7f2ac76520330c0105f1a1f874329946dc77c6c80343339748a13113b89b66b2cc01a6584feab220392b4219ee0e164c0ff44cb7283372bf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5db28a29a609f91f4e52cd5da8157559

SHA1
4e4488e60bf3231db90f3da6eef0574631391e75

SHA256
2d1128fd728b281bb4881d22ca0186d0f9c11a9c33fcb38264b4cc3796fa3e50

SHA512
d94337297a5b635a5d7874651423ca557e03aa7bf22e8ca5656379f79f3ee6b38fb4b03e6d54f31aff26754762ba31e6614197e42cad69ce1608f58d7621cdc6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f38cd9fe91c6b4cb43786fd631ea4ac0

SHA1
f5ad3f0e59dcd3f3a903c5e2d7f4314fce681869

SHA256
c4afdeeddd868d97703a01424bd92af396803c3b6aca774f6c7a675619780b2c

SHA512
c623524b9a85c24a557d570b45ffb0dca509d6e329fa95fea9fbbae6b84ab501b17a9fdffc3c54b7deb0d2ad48c0d781ebaf1b8fc5f3b12e67ee84238a042080

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2e1c821ff445c99bc688bcb455ff606b

SHA1
862c89d0eb658f2b9d6d1e45eeeeb8a6522a2a15

SHA256
93719c242f09e69d70787c9563df37ba3c089474eae601cb218770dfd6f30346

SHA512
b395b433d09e3e57cc7aa0c8e4badcfa574264e15e89b3041ee34407d403b34c4e189239d05c1e79579e99c396221540251c7b8809b6f002ee247a53f74db42f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9a9ad45ee8872ee2bfec50b61caf9547

SHA1
38a7e426161343620a94eed44783a4ba091e0689

SHA256
243f4ea2989fd7243a2d9199424ad93de2ab95bf2d2caf7105955927c5dbee77

SHA512
cba5cdd15258781e96006f80d867a8501db3bdd6730a9db8fd5f37533b82e2dd923ae1335f6b0e1fc799b33036a3e3101766ad61b538d2274185243fd66f642a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
daa55b780f54425ac90799290a6dbcaf

SHA1
a907cce2a7f3b4cd366f11ab12fb1f02c68b52e3

SHA256
514bca5747fbafaf40d037c87acea8177af6950a6363f05eb8798667cca06ddb

SHA512
5a9caa30bdb913dea17c4c2df93fba5f7cc7bb7fd664b028032f6702345132b3cfb8fb08d8ab8b937bef7bf7b63b9bc05f44abbecc0811eaa23f3b44f6667efa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bbd4aae8b8f764c63d1158362bc54a42

SHA1
e23d4695d1f1f0f057334869076dc9e644f6e164

SHA256
1b6217c833d1ca65261af1b4bb95660e73be8126cf407acb3955adb63317ad37

SHA512
238c980da7fb900a6f79334eef041b456fdc213f844f9c8b018bfc07c8d6f0ae64d3b27e7f6f9567e4b110fa398088e1f5c356939ab694e537a8f9dd6a2d6f53

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
ae203fedc712a80a7e229ddc7a66d72e

SHA1
13827caa404b798462fb9f31caf0f9fb9fd2cb25

SHA256
afe646c81debe3674655955f725c7184f418467fe8961a90c8f3158c03814b92

SHA512
d710e3f98e761b785766c973194ed2183ce84ee2d751857e247db60be37859f2702baea27979533016590b8d0e2c8b43274859c38d8add608a944ac4ce276c89

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ca013f4e1eb651d8080643b748fc2668

SHA1
4b11b367f94b8d0be0feffab060286ac658af57a

SHA256
797b1327c326aeb87ad779b6e3a3456930054c02513b9e8db11b595e8797a723

SHA512
16fd3a36abdc3d2da0f76e7af4d26bfa4335204185d9e2e152422c0fc144cf7437902775c0ed18b3cc0a906246bad13b28f1f10b9cf7679186764fa334087c14

Download Submit
memory/1040-627-0x00000210D7E90000-0x00000210D7EA0000-memory.dmp

Filesize
64KB

Download
memory/1040-628-0x00000210D7EA0000-0x00000210D7EA1000-memory.dmp

Filesize
4KB

Download
memory/1040-665-0x00000210D7FC0000-0x00000210D7FD0000-memory.dmp

Filesize
64KB

Download
memory/1040-736-0x00000210D7FC0000-0x00000210D8009000-memory.dmp

Filesize
292KB

Download
memory/1040-753-0x00000210D7EA0000-0x00000210D7EA1000-memory.dmp

Filesize
4KB

Download
memory/1164-318-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1388-174-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1388-162-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1388-156-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1640-205-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1640-212-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/1640-475-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1640-208-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1700-664-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1700-409-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1908-348-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2008-296-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2088-194-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2088-201-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2088-382-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2088-197-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2140-232-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2140-230-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2140-508-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2296-358-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2440-626-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2440-386-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2480-225-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2480-228-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2480-222-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2480-216-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3448-624-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3448-384-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3452-168-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3452-344-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3452-176-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/3452-177-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3516-266-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3668-346-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3876-407-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3876-663-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3888-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3888-537-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-342-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4036-140-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4036-143-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4036-144-0x0000000002810000-0x0000000002876000-memory.dmp

Filesize
408KB

Download
memory/4036-149-0x0000000002810000-0x0000000002876000-memory.dmp

Filesize
408KB

Download
memory/4036-173-0x0000000000400000-0x000000000065B000-memory.dmp

Filesize
2.4MB

Download
memory/4192-297-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4492-264-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4628-138-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4628-135-0x0000000004FB0000-0x0000000005042000-memory.dmp

Filesize
584KB

Download
memory/4628-139-0x0000000006870000-0x000000000690C000-memory.dmp

Filesize
624KB

Download
memory/4628-134-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/4628-133-0x00000000003A0000-0x000000000053C000-memory.dmp

Filesize
1.6MB

Download
memory/4628-137-0x0000000004EC0000-0x0000000004ED0000-memory.dmp

Filesize
64KB

Download
memory/4628-136-0x00000000054D0000-0x00000000054DA000-memory.dmp

Filesize
40KB

Download
memory/4688-190-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4688-193-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4688-579-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4688-187-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4688-181-0x0000000000EC0000-0x0000000000F20000-memory.dmp

Filesize
384KB

Download
memory/4688-362-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4768-567-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4768-319-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download