ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05

Analysis

max time kernel
87s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-04-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
Size

622KB
MD5

a84d3e42fe54fac3f98c067261573a7c
SHA1

8001b05bd0db379de0ca7b0bb27356179296852d
SHA256

ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05
SHA512

5892caa035475b4ec5fd50bdd996955e6d6b7f8a0a39abb6b6f6621801b10e7444970c7d667ec48f2d758b0c57198062a49889c2feb28534bef43083ffab591f
SSDEEP

12288:EueFqXCRQSjMU3O5s+N6NhOlFVlVsTot16+DrgAPs4F2Y7YJba2EUYhsp+yQRi/o:EunSRQ5UOOU62FBnO+E222YJbNEUQKGg

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
648	alg.exe
2156	DiagnosticsHub.StandardCollector.Service.exe
5112	fxssvc.exe
3028	elevation_service.exe
1724	elevation_service.exe
3156	maintenanceservice.exe
5080	msdtc.exe
4436	OSE.EXE
2212	PerceptionSimulationService.exe
1324	perfhost.exe
2556	locator.exe
4956	SensorDataService.exe
4284	snmptrap.exe
2376	spectrum.exe
1948	ssh-agent.exe
1812	TieringEngineService.exe
3980	AgentService.exe
1240	vds.exe
3404	vssvc.exe
4920	wbengine.exe
3956	WmiApSrv.exe
3432	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b39ed49ab3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\System32\vds.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\System32\alg.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\locator.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a1ac23a998fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bdfa732998fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094648739998fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006407dc35998fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044517439998fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd70cd40998fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6b8bf3a998fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aef36e37998fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
Token: SeAuditPrivilege	5112	fxssvc.exe
Token: SeRestorePrivilege	1812	TieringEngineService.exe
Token: SeManageVolumePrivilege	1812	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3980	AgentService.exe
Token: SeBackupPrivilege	3404	vssvc.exe
Token: SeRestorePrivilege	3404	vssvc.exe
Token: SeAuditPrivilege	3404	vssvc.exe
Token: SeBackupPrivilege	4920	wbengine.exe
Token: SeRestorePrivilege	4920	wbengine.exe
Token: SeSecurityPrivilege	4920	wbengine.exe
Token: 33	3432	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3432	SearchIndexer.exe
Token: SeDebugPrivilege	3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
Token: SeDebugPrivilege	3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
Token: SeDebugPrivilege	3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
Token: SeDebugPrivilege	3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
Token: SeDebugPrivilege	3080	ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 5200	3432	SearchIndexer.exe	120
PID 3432 wrote to memory of 5200	3432	SearchIndexer.exe	120
PID 3432 wrote to memory of 5240	3432	SearchIndexer.exe	122
PID 3432 wrote to memory of 5240	3432	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe
"C:\Users\Admin\AppData\Local\Temp\ad36efc26c01722f5f3b252bec702ca69b6d6524c0e9910f465c6b1fb912ca05.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:648

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2156

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4948

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5080

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2556

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4956

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2376

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1576

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5200
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.0MB

MD5
ed760da3e7dbdb56f667305ce591a185

SHA1
7cb5621f3955379f1f6afabdeb4d59b161912d4a

SHA256
efdc41265a3eb73659e6843cb9ebe7d9f90f4f2d174c2e3eab1c275e9e65109e

SHA512
2c964ea68e760c4fb643e99b93fe9ce1773b30e0bcbe2fe2b9e47d1a4704ea01c98008b685de471e108150e4d98ba2d35d520b7637713594c277c46ad640e66d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
fab476cdf7bc6953f6be2f08841d1d96

SHA1
19788efd36c9bde291213793dcb4c2493961c246

SHA256
efd79926de40f18b8a8fad2ad679fa6bab79315086e19cca323f3bc2f2431a7b

SHA512
4bad060aafac1be625e1a423359400b7216ab063e05525190749c3781d180c9682b0ec9e37797ae7cfddb26a3904c9e69eef43a8dd59c64941d2b99a8e181804

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bee3b5dcd81050aa49fa90e0e40b4ff1

SHA1
b0862d2dd8fd6f127403513f39020dc1a678e7d6

SHA256
484475a6852ce42b63fc3cee4b84d975a4acad92fe711aa873ff1d36d5cad76b

SHA512
2d22260ff28c7c471058d8e5c7b63615755aa15d0d5f9467a03b1ec556d901400c7749a173cf3cc08b183740f9acc170c80e1af8ce69bd9ab990b59dd605a126

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
50aa29ad2a683aba3200f364a1b37733

SHA1
2b1c8264d0a1304fffe539cf42c46cef0806371c

SHA256
7f11f053f416fb3fe8150028b1ae7bc16d267357528e6289a9a1dcce91a9c841

SHA512
4c15eb63a95771d0a310e734185f80843dba7261ab9b0e0dd4b1bb65b4dbd97f69ccc85ae7f80e03ce93abea6e39e91a5fac8ce3fcc27d8974795dae0993eb57

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
2d2c0e6e479fece9ee49f9cc215ae551

SHA1
26e4d4f39364d355f0cb3cb0f2080a7121b61eec

SHA256
54cbf4e090e177f1b773107f020bd6e4568cecb0971d4cf86cd9751be12e551b

SHA512
c1cde5b7668f3781c7186b4aa5d517afc09ec2544339dc0b21b3e71484df960e81a8ad8fe1b1af5f657de3c6ddf31d0ee6d43422ddc061ab809825f8ac205374

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
edbb9c2bdaa7018830c48f016b3d1e97

SHA1
01be2104134fcd66ce51cd73fafdeaa37f9eba06

SHA256
a0958c3dd49ac97e253de7920e776944532e30f353847fa1f384488bb9d9ab34

SHA512
ee466aa27a9470afbda8eba6cd11cbf4ae2b3373d9e7c87df689a29452776d93b82316375d125154007f5dca1910a0e07dcd2fd52f9c98184d75edcb7fe61426

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
69c222079c73f646714b7df77e55cab7

SHA1
77ec5d9d00e8edeb1fb925864f55f40fc2e5e814

SHA256
31acb4bef7030a582a9566e486fadd9dc4a1703623082f5dd51aa3a0712c7af3

SHA512
8579660dabe0d4fb2edcc5fe3f06de77e4e5d898153fb13ebeed2c3d6eba92250fc1b0bea5b570940ef05620ccf8932aa331715fad82ac62429cda5d31a03b1e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cfb63aec3e0435057564709010756ee7

SHA1
ae23abf46aa3799bd1c98674c76172ee875a41c5

SHA256
d486145c565bc1a07a9c2cf195500fad1143f83b703b19eeadc2899c62c12f7d

SHA512
a7bbdd2b83c3462c2741cf0ce3a05e54a4ea60404639618eb63484fa10c8ea4562e245aaa3d15955048343d4f8a6d02a0585954ec9e89509a4bcff158ec67951

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1e074c8f44fcee5b8446a70391e2c21c

SHA1
cc2d692652dd5d3f40802c6fdf2636546076edec

SHA256
119d1b5dcb2ac1a0fe3ae3764906d3b86714958300dc0fbe8a7bad95e8082f60

SHA512
d6283b38da9acfdea2cf5d457f6b1b5d0a06a201478326e16095ec4f66233c328aef3f42616ac2a4c58dd7d3251bb759a8d32deaffa12012772831cf19a33f16

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b2c197260c49b4358ca0ed04c0e62f78

SHA1
8e066216b15688171f2182435a516978d91b33cd

SHA256
c785ea7528940dcf945e2879554784c694be6a47fd59b79776fd0eb3a3f9ff91

SHA512
e987fb357f71a9f5437c131ebfa7c10ddd09f503deef1323aecf237d4416897e5a15f2292fea5d0d7c417e11d694796eef4dc12b9a04a5835876e34ca8053d0a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
4d9d59c57893cca98f0cab27a6c8f960

SHA1
91434e8961488f68c482174452d64d0f4c9c2936

SHA256
f7c2202d1957b64d70738f7b228b5823787cde069058d9ee84451656df7fa01f

SHA512
111370b180c1454ba98799d2035292743bfc4f78659faacf6827cad95c0bdd9be94c5cf8782149d0534ade54d20007ecc1da37cb9866c510fd66000082711b4a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.2MB

MD5
9c56cb18c74eb33e1d2fee0e408b8439

SHA1
dc656f1a0abbd4f68b4c870dd19133810ad006a2

SHA256
6cf972504dc63fd8a548594126844916103c60127d8ec2f106b2cf3daceb35e6

SHA512
b646395e6918eac83d3458ed46f9c38cfab46555df29fe22ada317ad1e51b53a63acb4b655c8f47036f6317da2672a291e0188ebbf6095340d4655061d6b13bb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.1MB

MD5
ae52f60c1685b986a5d7b6fec462b394

SHA1
1aae3421c678f32f1b5f478f5c10bab320c54013

SHA256
cd4832425f01ba3ff035017a94a07faf375324fbdc4c5901c55c1e1215fbad6e

SHA512
a368c43ab50feacfb771e14f631582bf2125d5f8a22c66762d3f7bd4b431fdb72d10feaa3cb97628e21b0f8b0589066aac0acc979a0b75fc5a79f75d97a62fcd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
bd5fe3fa5baa70e0a3ce4e3bf7386a6e

SHA1
9122d9b2920cfd3d889046d267edb0fd7fa84500

SHA256
6317cf40c0f140b08e14186b4933dc543ca2ce8491aae4226e7e042a45793aad

SHA512
ee07cd339b74f0285bd1bc28eb16f85619a9f40d9e5683fe1cfb8b7661d36a8a41ad753d434d8c79d41c016ab12c9470aab60128a4e8f57ae4a1772ef63d6646

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
4d0c05783d906402336dc683f361e425

SHA1
e6ac4f61e9a4bfdad7a850524a8b3b0031921dad

SHA256
bcde015cf6ec8210d8545343f4c498e50f1626711b94c45046453b907937e773

SHA512
312a2fcc36ad10d27694163b37bbecf01d3c9e1b6d89fa84402cd2a6b5dd30d75383d2f887b09fc1c6d4f0f0ed0ea58ed9f97d02ef6e8d8a8b5c26b9479e6aa0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0940c0797254e721333bf92127bb66d8

SHA1
b00f43c42fa55baa87e0ec7c8f8f63a9b097fe4f

SHA256
0c51abbf2c09eb2a72793a4ac9b9b9c6c93ff0d8e98e1f4fd29a8f5c99116832

SHA512
907c120514e43edb93829f330cb4a21eecac8be885358503f5c8ca202d9eb9a7b75124504f3902c7c1d6f46cfbe79f841ff0e07c4235d748088b2ab7f5aa719f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
00722485a8a82f77bbc665d664c2406a

SHA1
44fef013663ae0a66853959aa2cd55f326b785f1

SHA256
b7eedbd7d4154c8293b9ce0de6318c90d28d494aedf5a32a0f50b181c87a42ba

SHA512
7c4c1cc46ce801d147036634a0ba5b6f1a81bb36d89d45fc6ae0fc5e9507d61fb74328d00289ef1c1124eb8f1ff642dbc819ca302e4cb29d5a291fd210d856ef

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0d191f523a3d9bff2e68aebe25888cc0

SHA1
ce8db1657080c560117b3830b9d228a3198ebfb1

SHA256
682c554407123a386a38354ca1af7573b0db47bb97b612f54303fae1f3801503

SHA512
f515370ae86ea35e009e78bb589210a7cbd82870b387acca97cd68a1a33621e98f63a51787492b1b39f2ba21e130b30bc3b145f63f556414260b97991b0144f4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0e522867dac05fd34e15d1de0c9edf98

SHA1
a61535092ca283c8efac8f9c235b5f9fccaaf76f

SHA256
004c3e063d3d2a8af9febf076493b625fb8c06cb6b488dca155f70a90a367e75

SHA512
967e74de7ed2c9086e68f44b0ae8c57934e210d7eb6542bbbcefd0ac2f1d5d4408cfb39ea4663a69fcf1d873bdebe08f750e2ab28723b2937311f33d87969467

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e11b19dbb2fa48018713fa5d988789e4

SHA1
6958477575033bc76dbcef4aba7a265b823675c7

SHA256
22f4566d3caedc27b7235e790eda6d6216629b8c848e8ef1cddf0ed2d58b20b0

SHA512
36969069a3dcdedc1e3d5c00f7ce07c82579906ec7c9501d5637e9646e216151ccc98d55b60718ba1ecd861d5b2a89f7a57f4d04ede3770da858981a28de14ef

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0f66eb729e661e47b5b1637bc8cb4fa0

SHA1
1b636418ee7e628ecc792989e0b2a62977a3af4d

SHA256
d6fbbb73908db009b418ab912a883cbfe8fc0e250f1425f722d157b6fb55a02d

SHA512
e79457798b1593f87ec2ab1bfe43dde5718366f4b0fea54666267dfce04913f6975c07cd464af1dc405635b42df7eca30bb79c027a12033436760904353d2a9c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e5ab20e0632ba8f354f6e221b9eb8335

SHA1
57dac5a1c101e2dbfaacae8437c3e06ede098e4f

SHA256
2062f1a342d454733901cbcdb5c2a26769bd20d902d3761194e147bc34a4dc14

SHA512
02122d20296f1296cad9eac50418ca6ce5194bed3f995953e249e0411eb5d81de5cc267170fbfde18a3f928a8e4506e4161016a2744dc99bb608149ae9b9da12

Download Submit
memory/648-19-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/648-13-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/648-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/648-73-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1240-241-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1240-343-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1240-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1324-132-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1324-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1724-69-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1724-131-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1724-64-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1724-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1812-270-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1812-210-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1812-202-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1948-257-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1948-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1948-198-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2156-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2156-26-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2156-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2156-89-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2212-182-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2212-120-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2212-127-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/2376-184-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/2376-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2376-244-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2556-135-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2556-143-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2556-201-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3028-118-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3028-57-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3028-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3028-51-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3080-1-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/3080-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3080-59-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3080-6-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/3080-7-0x0000000002240000-0x00000000022A7000-memory.dmp

Filesize
412KB

Download
memory/3156-86-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3156-87-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3156-74-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3156-76-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3156-81-0x0000000002270000-0x00000000022D0000-memory.dmp

Filesize
384KB

Download
memory/3404-253-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3404-402-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3404-245-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3432-285-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3432-292-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3956-271-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3956-279-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3980-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3980-224-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3980-230-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3980-231-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4284-171-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4284-161-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4284-229-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4436-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4436-112-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4436-169-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4920-258-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4920-423-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4920-265-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4920-432-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4956-351-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4956-350-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4956-214-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4956-157-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4956-147-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5080-98-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/5080-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5080-91-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/5080-156-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5112-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5112-37-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5112-43-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5112-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/5112-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download