cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006

Analysis

max time kernel
155s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 23:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
Size

615KB
MD5

7b3e1263b6cdecc8b1cd1033ffd750e5
SHA1

13a43c3d9ed1ae84b680506360daf19c79921ba6
SHA256

cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006
SHA512

e62e39345bec93569a5e5eba7ec05e80f3881a0ef781dfee2c930ab4e23a0a8a0af973880835b5fc2a78e2543421c204f09d25b9d11258f26c1d7823facfe61d
SSDEEP

12288:aLRRS8Y6Bgvqwkd8dL/2LUGBRWvV/vCmVB9qdBmp7AAHol4chNdT:YS8VBxwkqd2LZjW1xqS73k1hNh

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3316	alg.exe
1020	DiagnosticsHub.StandardCollector.Service.exe
3252	fxssvc.exe
4512	elevation_service.exe
5012	elevation_service.exe
1104	maintenanceservice.exe
4984	msdtc.exe
1416	OSE.EXE
748	PerceptionSimulationService.exe
3764	perfhost.exe
4248	locator.exe
1504	SensorDataService.exe
4196	snmptrap.exe
3192	spectrum.exe
3988	ssh-agent.exe
2972	TieringEngineService.exe
5144	AgentService.exe
5208	vds.exe
5292	vssvc.exe
5456	wbengine.exe
5532	WmiApSrv.exe
5592	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\System32\vds.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\vssvc.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7de408fbb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\locator.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\AgentService.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\System32\alg.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\spectrum.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\wbengine.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005b61b49e6776da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004994b5a26776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b220eb06776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000551ed3b16776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bafeb7b26776da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008cec82a06776da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
Token: SeAuditPrivilege	3252	fxssvc.exe
Token: SeRestorePrivilege	2972	TieringEngineService.exe
Token: SeManageVolumePrivilege	2972	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5144	AgentService.exe
Token: SeBackupPrivilege	5292	vssvc.exe
Token: SeRestorePrivilege	5292	vssvc.exe
Token: SeAuditPrivilege	5292	vssvc.exe
Token: SeBackupPrivilege	5456	wbengine.exe
Token: SeRestorePrivilege	5456	wbengine.exe
Token: SeSecurityPrivilege	5456	wbengine.exe
Token: 33	5592	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5592	SearchIndexer.exe
Token: SeDebugPrivilege	1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
Token: SeDebugPrivilege	1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
Token: SeDebugPrivilege	1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
Token: SeDebugPrivilege	1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
Token: SeDebugPrivilege	1892	cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5592 wrote to memory of 5216	5592	SearchIndexer.exe	135
PID 5592 wrote to memory of 5216	5592	SearchIndexer.exe	135
PID 5592 wrote to memory of 4032	5592	SearchIndexer.exe	136
PID 5592 wrote to memory of 4032	5592	SearchIndexer.exe	136

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe
"C:\Users\Admin\AppData\Local\Temp\cbdf882bf39be842a77a1b837c302dbce96687928d0f60c9987f30910719b006.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3316

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2140

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5012

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1104

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4984

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1416

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3764

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1504

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3192

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2972

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5144

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5456

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5532

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5592
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5216
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1852 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:6128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
55ecfb44bc8701be1cca4895ac082c60

SHA1
bfb0e6baaa9dfce334cf924d8e99161c5b8dca59

SHA256
8d9dcf1f0b15f8d5df6a3950ffa4b5c82c30ab247fa0111ce99f0bdf7d3edbdf

SHA512
7231317f143950fdb043dfba05b24967e151d036396a45b20579852545777f90cbcf2cf90e05984aa33dadf56f8cda2a03453606142523a80cc49160a3158e62

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
a06c1e2d87424a82fb8998bc6ee8f97c

SHA1
48af1be9237d8991f522991aeba2867b393a0f1f

SHA256
888a0d08848110053b47bb8378242cd141391581b254b0a5749e186d67d0bc0b

SHA512
589e4d8b2a8ba66109c85a9f3d7ae0d4a612de1af3c2c2da7485b7ee202bd82df809c1a08be0c72f3f2602af0d3b3f9728b0ed972a47af2756ee144d7a31a531

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
964f5add92bebb2e91676cfac5b728c2

SHA1
737d7e184c38c01cf3ace3e1a07edbf3a0016cc3

SHA256
83483a6679cf163cc09e34de01efe03308899dc09ad17a63f072ab3c76eb355f

SHA512
2c27c88b1625e1b665cb43eca104f19d926cff15a093df5144cc001745cdbb10744a06ce2a98165916d46c600f29356478ed195c2f69becbf4d158e2d1cd2ceb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
5e4b4f3a1cf554c3a17d487f8e612e8c

SHA1
86e68260bc683de46df7fd3bb0797c6dad1d9815

SHA256
987bacc9b0a41caaa6bf28fa21ed734dcc5909afb93f08db12996d740984f84f

SHA512
57e7f21cff82b6b6d4161e5c0c451e1ce7d0a61123ac87b9517e19be91f82ab03d812d48428fb720d717882857f15ac3e60f0b6608545e7940fc0f4889042de2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ff9fd61e948a4a0ee74bfbeaf21a6f0a

SHA1
a0a77ab5bca7e0f4c1df533e554eb02cb65ed3e2

SHA256
31a8285872e1bc06d798a0f17f8327d494881bb513021f7b1d8e846590b198a8

SHA512
4b0c0cf9c384164a8a4905399ebc77232431259d0103ba9586927e09263a54b5f952cdef2107b0e515e82ccc7c31b2d6d709bbe3bdca27d9f691275a43412d88

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cfd89c4dfa264391fe423c8a31be4466

SHA1
8bbe72576ba648a3456135f739b5beb31a81666b

SHA256
16eaf877247c592a104c4a626bbcd7f423a19b76e658688f05029285afa4dfd5

SHA512
7f87ea994b52b816353d0345049cf059bef57626cc05a6c2e38207de7348291f9340e3abeca131ed42fc4480f54985162e3f5f6ec5c199277a84ecb746f8f3fb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
94c41f37dfed650d8ce0cb38a66f97e4

SHA1
e93054ca4fda9e9d51f0781290ad0cfa6793417f

SHA256
08bad2dc423b0d8cfc6c69089537f120eaf3b694bee4e8ac17f79dae6ccc0b8f

SHA512
636507bdfce3bd2a72afb501a2f00042e6e07eb5540713b0033584a1f332a56f36f095966ea13f3a4bd1ee681554e933313cbf573cb1144d1ee0da6d9771e415

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
abc4067945c3517e4442b53b3c13b66f

SHA1
59b95a1b6d4b0de4615afde5369a722519fb7cee

SHA256
0862648e116ff93efee0d510d15d83b32514fb2fe0503bce751516a9f247b62a

SHA512
3ae6b6f8126ba0fcb25852e8879ea1f9efa8ed0e9d06319b80ddadeb972d8626db7d161aa370f7b85a62c53d994b27f20ea71a96160bb0d83b3ba82de6e66314

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
5e177ece1ff3ef9870470ebce3777e75

SHA1
ab21cf9bf9a2d499692d0cb71b2a035c62571f61

SHA256
0f082ec356389f1930d2874a52b1af885a8eca8668dc066700b6c7ce95114702

SHA512
cba70eff21f661e60fcc5488efb2e4d6700f15acf21032b68f7623cefd44f1df9c956e67a48071bf352abf245bb8d604656758464076384527722a61e4ab81ab

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
852c7b6b42173a9faad38e88edcff0ca

SHA1
1f824303609deadb0c3bf6eb467be79d0633a722

SHA256
209b9066c6af6d70a42be78496e42a951f42ef2aed4f4cf0e00a9b6350255d1e

SHA512
bd786e2c6484b4b4d6b6cf7c43192fc5d9a4920b589d437fb3cadf0d5d91694380cfb81ab2a0f584aec5ef9ca74e07d5f3e68b3d933485a7d0c1b971d0b87dff

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
11bfb186eff245eccd1b863dbefc6a3c

SHA1
88fab734dffb01fba25afc6caeb9b727f1ff2133

SHA256
8a7e48fe7adf833217ccc215300bef7014181f170b4499ec7720fa9ae8a163a2

SHA512
583c725123e629e84c0258ed7eca1056c67c9cd34f43b3d781cb5bae0d0ea7d24f1a2828e8b0e6b8b6a99f8f015130816f5bb39a0b66c28f203fcc5cbb62175e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
22096d235778cb06d9fc11e263e13a02

SHA1
b2a58a47bf5da612610b0a7420f48d9ad983df8b

SHA256
6ab9c3f7db8e62c08b1e38e642dea4de4b5c4dec229f8967667250065ef002fb

SHA512
f64e78273ff2f7c2f05213993f6b60bc4bfa73dc7352f9e2b057bc185817a9da4987634722d2e20c5b80ac73fe42eed5f11fccdf740c1b213f34f1e021efc836

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b45963c27e1201818e176b627ac5c4ff

SHA1
c598d37261ea770b5dbebe484af5a57a76792dab

SHA256
37e87edd67e250dc7b8caaff994b3fc4ab6fcdfe2aeebce331b51683a5f6d292

SHA512
c5163ddf80690734f0af509402ccc9ca88368c86cc69f51e319d64be510e24a29f6a9ba7d6bdb8a7dca77decdf8eddabc37d549c441ed184a3a7ffd1d0fdd185

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
429KB

MD5
b279a16be454b455c7c73b953ad15f43

SHA1
b81be4a1ed55c08b3ad683f1629395eb682e6c48

SHA256
f53b012fd9150935351e31ae8f9fc95b6ca3fe672b8b27a8ab8edfbd39ffd068

SHA512
6a42174c871954f92b9627f3985a3f3838472e0809ecc107903b16673208b176ed47f2abe551a0ddbdf29e825e8bf060a378a155297dd1cba2e91824c68cf9ab

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
18c58a65b11aca0ede36e1010c029c31

SHA1
ce7b7ca24cd8b3212d43580e409a787268992bb0

SHA256
2be290f0098bf315d09ba78d13112c979add0f3d04c05ab2ff13392aecefd05e

SHA512
95d09d43eb50e051e448f363525f51407d06c3b8e3de986c93946f361dc61cf33b628354c98c6d62dcedb796ee94d10838642b48ab41bb8597a3771f7396f30b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
967b45a443eeba700e6e2a70704dd0a4

SHA1
365e4ead5bedfd03b6848d3cb9bccc613288b356

SHA256
caa9c11380d8b84490071bc1693f13fe4e7babce322e48dc5f3a3ce022f6af57

SHA512
3d0ea383ee7e8a19c7cdd2efa55b4438565795e67ae423eb1869e91ec61c4cae48e439d49ef4f6f700b5c430cfa54f1dc47a3d877ea0a6718067874ef3d6207e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
dff320d0d34c3bebe01797710848f2c5

SHA1
6185522430a0bfc5f314c154f3e657aca7a7ce1d

SHA256
6f44f5e4ebda7b6a6257d30a84432f6549507cab497952d32ca5da95b1e04ac2

SHA512
263150a9bfebf596f36ac36d7826382221cf0bdb47f66c87a7724ce88ab977fe6dfc202c884ac4c0abc36cfb322d4feec6e443a3b6c62b97a2eb3651bbb3bb5a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
170a1efc8c35e5049ef5fe9a5db7c4ef

SHA1
62853f0abaa20ce05544f3a732046bb3f72923b9

SHA256
2e70f7fc6f2f6d9ad4301e77f3297088e522555bf24fa5864d037b6889e87614

SHA512
3a377c5a36b0572c3a7fcc599704979fb30386cb774168c8b8bdc6240cab3d7f3bac321536b22c5568f4154c13e00cf16a622faacaf2aebfe93406c8570d331d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
8cd32679f6f5ed38296554d84772ba01

SHA1
bef7efcc50fca7d92d9fb8f6de062aba1e5fbd15

SHA256
09615a53e61bd02328cfad3895f985da9c4ed265a886de463a73d167ef2a5124

SHA512
4ed270dd334e654660e7316f1a36afe7660b5a07f0819b8ae9522c1e399a970aa5453161513127930f7ca145e211b6fff2fc3a376a6265766562b3e7a9410bec

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
11b08a0c65597358d01c6bc8ade25b94

SHA1
dc6d4d4ea5573a37ed388002ba9a1464e4a0a5c1

SHA256
b6174ce957d4145c547913da0a754b4b69753c91f747194551802ed82d9adb67

SHA512
1fa6bd2969154091aa552b07d69c20938c62505a5da4d065b113c001fa1a6ca9a59e411c8925c47c915ac544bd7b325335d677165e8959f810dc8dcd04084b01

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e7050b18a6a4dc74baf2984da45936ec

SHA1
b7cc0e94e79cfc098e1a60a6da249a85f049d191

SHA256
35a82eef2d9a7dccbe4bf49a52e79185e629c329b7b12d671afc853766387d43

SHA512
673bd34c4e14f3292391f6e47f0c742daf0ec2a22db2af58ff342d34fcfbc555004ce2749449a347f2432a2059aebaa78b020b57f8847f7ac25721529c9996a5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3c615e685c22d9ae224dc9fee5a316b2

SHA1
e07dabbb446a61a48ae67b87f1dc7654bf9e31f5

SHA256
5c2e68df50475e3bf97300eb42c3fba675ec1d25e522dd803bc6fffc702f494f

SHA512
91961668d6a5c29156d0cd032f4bc63aa20f59e491f91a29f6b6d0028653e48667cec44d8edbbf26273f63dde58ae9e68f94663fd719c9afccb4c4a8643f97d1

Download Submit
memory/748-92-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/748-101-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/748-93-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/748-149-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1020-17-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1020-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1020-74-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1020-23-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1104-70-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1104-67-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1104-64-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1104-57-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1104-56-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1416-79-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1416-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1416-85-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/1416-136-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1504-119-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1504-166-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1892-1-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/1892-6-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/1892-7-0x00000000009F0000-0x0000000000A57000-memory.dmp

Filesize
412KB

Download
memory/1892-0-0x0000000000400000-0x00000000008A0000-memory.dmp

Filesize
4.6MB

Download
memory/1892-43-0x0000000000400000-0x00000000008A0000-memory.dmp

Filesize
4.6MB

Download
memory/2972-258-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2972-154-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3192-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3192-127-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3192-137-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3252-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3252-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3316-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3316-72-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3764-157-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3764-107-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/3764-112-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/3764-106-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3988-225-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3988-141-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3988-151-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4032-396-0x000001FD133F0000-0x000001FD13400000-memory.dmp

Filesize
64KB

Download
memory/4032-375-0x000001FD133B0000-0x000001FD133C0000-memory.dmp

Filesize
64KB

Download
memory/4032-376-0x000001FD133C0000-0x000001FD133D0000-memory.dmp

Filesize
64KB

Download
memory/4032-378-0x000001FD133B0000-0x000001FD133C0000-memory.dmp

Filesize
64KB

Download
memory/4032-410-0x000001FD133D0000-0x000001FD133E0000-memory.dmp

Filesize
64KB

Download
memory/4032-381-0x000001FD133B0000-0x000001FD133C0000-memory.dmp

Filesize
64KB

Download
memory/4032-404-0x000001FD133C0000-0x000001FD133D0000-memory.dmp

Filesize
64KB

Download
memory/4032-398-0x000001FD133F0000-0x000001FD13400000-memory.dmp

Filesize
64KB

Download
memory/4032-401-0x000001FD133B0000-0x000001FD133C0000-memory.dmp

Filesize
64KB

Download
memory/4032-384-0x000001FD133B0000-0x000001FD133C0000-memory.dmp

Filesize
64KB

Download
memory/4032-393-0x000001FD133B0000-0x000001FD133C0000-memory.dmp

Filesize
64KB

Download
memory/4032-397-0x000001FD133B0000-0x000001FD133C0000-memory.dmp

Filesize
64KB

Download
memory/4032-385-0x000001FD133D0000-0x000001FD133E0000-memory.dmp

Filesize
64KB

Download
memory/4196-172-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4196-124-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4248-116-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4512-89-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4512-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4512-32-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4512-39-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4984-73-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4984-123-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5012-45-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5012-105-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5012-44-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/5012-52-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/5144-158-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5144-160-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5208-303-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5208-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5292-322-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5292-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5456-333-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5456-169-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5532-337-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5532-173-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5592-338-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5592-178-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download