a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 00:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Size

622KB
MD5

a48dc6f58a4b81f51fcbdd2153568c85
SHA1

11540e4f9c7fba27e953c155a136411fc2c4527a
SHA256

a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471
SHA512

4f407e77d332ff265dce879cd4020b1d31d62afc87e141da7de968ac677b1e6628ea5c7929a7f41f6451188343d928d964b23c64c6f2416c6c980e0e08a5d436
SSDEEP

12288:tuW6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:tuW6LaRFdGJm0Q3WKVSwdr13Ek0VA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4464	alg.exe
976	DiagnosticsHub.StandardCollector.Service.exe
1272	fxssvc.exe
2520	elevation_service.exe
1564	elevation_service.exe
4492	maintenanceservice.exe
3436	msdtc.exe
3384	OSE.EXE
3280	PerceptionSimulationService.exe
400	perfhost.exe
2692	locator.exe
112	SensorDataService.exe
756	snmptrap.exe
4688	spectrum.exe
4080	ssh-agent.exe
4576	TieringEngineService.exe
1240	AgentService.exe
1996	vds.exe
1088	vssvc.exe
788	wbengine.exe
2100	WmiApSrv.exe
1012	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\System32\vds.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\System32\alg.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b43594a0b3e2edcd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1342F81A-D5C5-42B4-A5E8-933F7759DA30}\chrome_installer.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000050fe611be92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017f92a35be92da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000deda7425be92da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cd4882cbe92da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d930f830be92da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000645e9536be92da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeAuditPrivilege	1272	fxssvc.exe
Token: SeRestorePrivilege	4576	TieringEngineService.exe
Token: SeManageVolumePrivilege	4576	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1240	AgentService.exe
Token: SeBackupPrivilege	1088	vssvc.exe
Token: SeRestorePrivilege	1088	vssvc.exe
Token: SeAuditPrivilege	1088	vssvc.exe
Token: SeBackupPrivilege	788	wbengine.exe
Token: SeRestorePrivilege	788	wbengine.exe
Token: SeSecurityPrivilege	788	wbengine.exe
Token: 33	1012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeDebugPrivilege	224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeDebugPrivilege	224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeDebugPrivilege	224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeDebugPrivilege	224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
Token: SeDebugPrivilege	224	a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 320	1012	SearchIndexer.exe	115
PID 1012 wrote to memory of 320	1012	SearchIndexer.exe	115
PID 1012 wrote to memory of 4672	1012	SearchIndexer.exe	116
PID 1012 wrote to memory of 4672	1012	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe
"C:\Users\Admin\AppData\Local\Temp\a3027d9d16fe2a6ee90f4d57a519e7a8be61baeca3b5a5ca5daa35da8d64b471.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4464

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1876

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1564

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3436

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3384

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2692

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:112

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:756

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:788

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2100

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:320
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3932 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:8
1⤵
PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
9853ae10fb5675e713c637ca4ff18765

SHA1
802b653b14e5e81375f12eb7725f2f211c5b8907

SHA256
f1b87231241d22066f6ef1d8583112d67a54555d0ca7f404c58cd2ff6ae1bdd1

SHA512
9bb542d951e8cab10a868369da3fd9c47ac370c8aff36aa40e803ac762a976d03ca3c4bbe7576093596be2a57081bc56199e51e675f02ae4d7cb444a6e80707b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
9204c68c8138367f66a9771b510c1e1f

SHA1
160e1c11c60c4436c50f5d9aeadd461c565a4746

SHA256
0f798a36bc6ef9691de85869d6fbc448b36c08995c7771f698bb9eba2b3e5a22

SHA512
8ae10ea26dea093fbfe89ba0e87d0880b2e296b9ec683a509aae2f2c8f947008ae1c2f5c72f6476d4d9512b6e1743c97877d511db214b6d44f38ea65ed62b005

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
4a9a432fbe692c3cd53425d2b21482db

SHA1
9752c8c5be03cb9dd8047b411b621b1de2a9dc46

SHA256
604e9d297a61fb9acd2bb9adc1c1a613e57b0a773c4dae5733ed8e33862ddd69

SHA512
fa9196406abee39f5f7b04fbf1f60cab66d712abe3227c482539a5b8e71efb344ebf50288fd07c0e34ed4823e3cee3eec5bb509ccc8ffd657072712827c07682

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
abfa755b7c3db7458df6c767dc022139

SHA1
f745d017cc05d53998436f1c44c514d75efe7e61

SHA256
2c2315089f6ff19f366574204da3c80569707b7414fa0447575110751e8124c8

SHA512
8946de552e6aad8975f8f5c201a5e62188fed4f1daa8bc0e43ee674f64b8d1fa8d81a979e65c934da9f06a0c4e0fd42bd5e20c1afc066ad050e0331a7132d493

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
faf9df0113d4aeaec2cf182e4e5e3e7e

SHA1
702a89d8769894632d72a11118501b68dec32eb5

SHA256
b6e60b2c2f374c26d1a2ffef1a9a23f09e8f4299736578869823df9f1c7b20c8

SHA512
be7fe896c7bb3156949ff299572e97804a9d29df5e52d4651154c298188b8337b89119a81f9cc52afe7330be729c0a8e010ea255af321d3cb78eff771a5cd5ce

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6cf5f2601edd2784774789f16ac69b4e

SHA1
4c0dcff7d03a2de3994efd2a86ec8f36f4688231

SHA256
4dc8b5df6b286b2344bf3f67053b56b25277d2a8ddb3356303185ebaebcf1647

SHA512
5b45226774aed69315c97e15964f1ac8472e85aea86ca15a08e5d1a53c6fb07dcb4c6fff76e1b8da72dca8fcb4fa7d9807eb4c7737c5924dd3527d4cbb05806a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
76b4c33ccb09e73692636db14828584d

SHA1
4c05520d1f6b6ed1a7a350ebb5cb67dd296da5ab

SHA256
f195fe4fb9e21a877958640aa0297f0ef1a0adc18a1ea50d173a0b13b55d1b22

SHA512
cd58762470a58e9d4973f50ea7c0ca1746324ab0a3af7bc9524946216bdd0af6f59ed55d253c797d7e95035ab53bc881a6c6ca876e3cc4e3d067cecf876a3671

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bea41ac962fcbf7a7e605b4bfd9dd6d8

SHA1
4b19f12b62af49da8950051e16efbe9d5deb4c51

SHA256
4661f7ce505afff7d7d3d326a65288aac5976a579df10f96c8ba0d6ad1f8d52e

SHA512
cd596c2931966a2bcdf95e854af2a8ab3ca5ec3ed813925c1d6f0cb645c3263c33ffdc0dfacce08cf857e4b2b0759d3a3dcbd79d05a2d38c4f672c54a2989529

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b4b9fcf2cbfe58fa6d309445342d8583

SHA1
bb6b7c99da0095f4efad217df9b110423e02c5e2

SHA256
e39d2a9885fbab4c6244d91c485c9b92431b5c9ba16fb90530b6f89f068b9b90

SHA512
f02b8ee40eae4d1fb64becb19a938f6673dd1b57528276456a323486857cdf222be7355c536163f3a673f7d95f929fc97fca253997e62fd9f30b78ca116e2aae

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b1f1dadd25a53a96a6272a4efce3171a

SHA1
702f8e75e44823c3a15edb493cba51d7a4eb489b

SHA256
63004b42b31f04fd99b4f99a1cc5b654e267beb682b040607a617ca47e6146a6

SHA512
e417aae006aa80c61c1f84fab599036a1ec268dda64a56eb0cb3b885643b638a21ede457485f579903f6ef9872ee61f7c07aa9bc00dddc0555bcb8415116c2dc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
cdd4e0d93c6568ca820c36b63abd8792

SHA1
5ce3528067d1dd97145d3aeaca806996d095ddcc

SHA256
7d73c8a03f6f94c2ac8551d3abb4ab5aba10c3fa2028dfe90731e19e3c4b3d40

SHA512
898c7fb80db93cc0ad1ad96479b58e4276fbf799e38edb7db6d4e4b26be247d9e5f7935d5b3fc8ae1cf3a715a645ad3facb2d8d8f321e4a91ccd954a1cd1a7a5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
9dbe64aeb2a6fd6cb73dcd06ba5ef183

SHA1
f40a4dfa41d11d2bb49355c584a0b96a44638482

SHA256
536b4bcb976d83a5f004d7a702d8b40917d2c8f5c61437f164c45d89199d1abd

SHA512
1dea848122eb9f03f01574f546ed5dc94c8ff8809053509a9dec3d59de48fda460ccb10e042a5940c7d8d281cb49cfcfadb8756c1f6f4cbed5ee7f3c67c89844

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7a63cb63d4967166e6a3dfc238622041

SHA1
aa3c10f1cd50e74e2e5cc9d6b76df71e57f7c1b6

SHA256
2a6c2b9eac2d9be8f323a938f12942ee406068c83fcad4687050eb0fcdd135f5

SHA512
141e0f3e3004ad64c32c3ffdfa4754370852957f0fea0db9b8da6ee1b2e4a67f8620213e72bfb9e61c80ae369f29be1d2c34b33da694ff7026a841098447fc39

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a961399fb7e56d66a097d16182ad1634

SHA1
463710b34400a657e9a39333cbb87a68cd097acb

SHA256
e6abfec4ce613aeedfabe48ad9dc2f95df9a72ddd32d3ddc05de31bd4374b410

SHA512
663ccbd386189da379e57ed743e6cb4d7b0b7d63675cbef3ee8f638551974dded42322319a2d96d3f754533617112b2bd2a5031b142b3850cac2751eafba4583

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2ae61f47eca362d3732e5ce1cb73bc60

SHA1
3161f62486ba15dc2481fa99d02b0f716f20c956

SHA256
f90c1530a15df7d04a922e98bd4a1492aad34115f27198c2576820c17aeb37cd

SHA512
8265dac08146a4ede403c39c493daf9b44bd50851d9579c2f02bd38fcfb75f63f76624a62903e6b981bbc40686bb6473037beb6031fcb00f14b8bac5e110f6d0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b58f3e1a39e9077b9b20734a7ff3965c

SHA1
32f391abb30e85369b8a84f311e87054fa05f7af

SHA256
32c6b4d3349d0429cf844a73144852958ee055a03a592e441f2b1e00aa6e96b1

SHA512
2a3e29f8a9b13c015db131c52788371da557150c5d6863fa93196f6d64aeb11fea985e51f35c67d09a5038b0e4f75f1b9bde49891f8798ba5d78b16f84fec0d8

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6d45841b7b40981926c20df9db03a1b4

SHA1
915284c04cfca5f0314d5dcf1876052e8b3ad41f

SHA256
65daf5d4a60aabd85b57ac614b7808713793b9f2c9960ea69dbc743f23700324

SHA512
6b84896033eac9c4547bbb54117eabc49c4b5f26899c0b634b4008adc24c62f4a8c439c29d45abbd2b0ccf7f057676ceba66c1807af3b197e489fd7156c748ed

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2f411e3c54cf5d185dd2449f077e511a

SHA1
a695ed711b393f39f758e7142632cf08309213e2

SHA256
45a49320c70b575d9c7ce6b5479d0a4f12c95ec861f0137691e4b79c85bdb83c

SHA512
8bfe9487780a09a384103e4bb78c8f27de8828b0fd6d22d91d29e72a56eb8bc01d16f43d305cb8db244d43b49db0b66e9914bab8f88569366a2e3799a9c5dd77

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
7658b1f78b8b345a988a9072054840f5

SHA1
6bacdebfba86a52e3bbbc5f08f17f1354ebc57a1

SHA256
b26799a2020561d20ed8d12b28b4703f5724c6d775040e97621a2e8b4bd7beeb

SHA512
f7b13c24f26e04170a5be32f84800be6123aa999b12ae149c6dded2190e974af83a4a9b2c8de2d01149aa4b549d6a6a5185a49367b962bf761718e525efd6590

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
478421ab8ab3f7cc02a9993d692c3b12

SHA1
331b4455bfe51b74cd3d23c703c338f83b2b5ca0

SHA256
e3c6492fddfaac65f52100455f10979b2adcbf21e4f905b409c1d6764bd186ed

SHA512
56cd78a5f27999832e214b4507d3ddb74f849886fca2f0f3e77d22d39e6eded4e0a60b46ed1251e7d5f9caa4c6aadc0c30197ffa427cb456159f71107996b414

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
79cec175ddcdcae74444d22132b9e409

SHA1
0143945e7efc6b22ba8ac0486f7b4e86ba38b03b

SHA256
71fc51a5094bbb683b4b09ee16a66abc4e966e9bc79523b201174d93a41c3338

SHA512
8ec58e1920f526eefb4675e103684ddf0e20c00f1315128cd36ccea927fdb3fce0d9c59553ff5d7ee47ab553b4b087a1996d2c72e2423ec17647f828f513b054

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
10f89884cfc2349216087c6dbd3398c0

SHA1
a1466c7c5a00de231f6a4232fbc12d39f98d9b45

SHA256
cb775a2a90854a4ceaf9091e64e324b74b3557a55879c7c9f87a6489ffd6dff8

SHA512
1ea8ba48fe2f4ad41bd70332f397cf9ea4bb1e89ca8ba2f9fc05fa7354400074e3a564d70b8dad596f1e736855d8b20a9f59525b9be9019f5a0747608d430632

Download Submit
memory/112-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/112-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/112-158-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/112-300-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/112-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/224-6-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/224-63-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/224-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/224-7-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/224-1-0x0000000002290000-0x00000000022F7000-memory.dmp

Filesize
412KB

Download
memory/400-134-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/400-200-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/756-234-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/756-173-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/756-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/788-263-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/788-270-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/976-91-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/976-33-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/976-27-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/976-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1012-289-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1012-295-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/1088-248-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1088-257-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/1240-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1240-227-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1240-231-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1240-233-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1272-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1272-38-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1272-44-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1272-48-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/1272-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1564-67-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1564-70-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1564-62-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/1564-133-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/1996-235-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1996-244-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1996-338-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2100-283-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2100-275-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2520-51-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2520-52-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2520-58-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2520-120-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2692-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2692-204-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2692-146-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3280-121-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3280-129-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3280-189-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3280-185-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3384-116-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/3384-105-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3384-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3436-157-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3436-100-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3436-93-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3436-92-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4080-201-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4080-191-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4080-260-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4464-74-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4464-13-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4464-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4464-20-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4492-77-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4492-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4492-83-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4492-89-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/4492-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4576-273-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4576-205-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4576-214-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4688-186-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4688-247-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4688-176-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download