7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
Size

1.8MB
MD5

0fd95ec54dce159a7796f5f5fcbd8e13
SHA1

dc19e4c09a0de4c113bdb4b2ed9853583bdb99cc
SHA256

7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba
SHA512

fe945976332c5e9aa3d2e099935e8fe33be83e981b823b4d1c4e433340d6e67d0a038579d389798e6510caae6ec1f086e8846fd1d3aaf24943efaea44c6895f9
SSDEEP

49152:ox5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAqaB0zj0yjoB2:ovbjVkjjCAzJgB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
4516	alg.exe
4480	DiagnosticsHub.StandardCollector.Service.exe
4780	fxssvc.exe
4332	elevation_service.exe
1508	elevation_service.exe
4644	maintenanceservice.exe
4924	msdtc.exe
4100	OSE.EXE
1584	PerceptionSimulationService.exe
3804	perfhost.exe
1552	locator.exe
1332	SensorDataService.exe
4264	snmptrap.exe
5068	spectrum.exe
1468	ssh-agent.exe
1996	TieringEngineService.exe
3324	AgentService.exe
1144	vds.exe
3648	vssvc.exe
1148	wbengine.exe
1032	WmiApSrv.exe
4508	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

Processes:

7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exealg.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\fxssvc.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\locator.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\System32\vds.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6c5acef8ad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_99140\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32C8.tmp\GoogleUpdateBroker.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM32C8.tmp\goopdateres_ja.dll	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM32C8.tmp\GoogleUpdateComRegisterShell64.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM32C8.tmp\GoogleUpdateBroker.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exemsdtc.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000540f675d5d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a060375d5d99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5cd065e5d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9df195e5d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d595ae5d5d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db4d245d5d99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe

pid	process
4480	DiagnosticsHub.StandardCollector.Service.exe
4480	DiagnosticsHub.StandardCollector.Service.exe
4480	DiagnosticsHub.StandardCollector.Service.exe
4480	DiagnosticsHub.StandardCollector.Service.exe
4480	DiagnosticsHub.StandardCollector.Service.exe
4480	DiagnosticsHub.StandardCollector.Service.exe
4480	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 41 IoCs

Processes:

7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exeDiagnosticsHub.StandardCollector.Service.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4784	7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
Token: SeAuditPrivilege	4780	fxssvc.exe
Token: SeRestorePrivilege	1996	TieringEngineService.exe
Token: SeManageVolumePrivilege	1996	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3324	AgentService.exe
Token: SeBackupPrivilege	3648	vssvc.exe
Token: SeRestorePrivilege	3648	vssvc.exe
Token: SeAuditPrivilege	3648	vssvc.exe
Token: SeBackupPrivilege	1148	wbengine.exe
Token: SeRestorePrivilege	1148	wbengine.exe
Token: SeSecurityPrivilege	1148	wbengine.exe
Token: 33	4508	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4508	SearchIndexer.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	4516	alg.exe
Token: SeDebugPrivilege	4480	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4508 wrote to memory of 3148	4508	SearchIndexer.exe	SearchProtocolHost.exe
PID 4508 wrote to memory of 3148	4508	SearchIndexer.exe	SearchProtocolHost.exe
PID 4508 wrote to memory of 1724	4508	SearchIndexer.exe	SearchFilterHost.exe
PID 4508 wrote to memory of 1724	4508	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe
"C:\Users\Admin\AppData\Local\Temp\7003b3000d278ffa2004155ed40b128433f791eb5ebb38a6f73a413bf475b8ba.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4040

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1508

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1584

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1332

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4264

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5068

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1468

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2056

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1032

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3148

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:1724

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
Filesize
1.7MB

MD5
8bde744e563642455d562b9c0094c10f

SHA1
a360f71f7db4b88853856dafe15f356fe53ca485

SHA256
6927c3e8844fb83ed71b8ead4bfbe5a53f415b5316478fc6c0cc4056eb08430f

SHA512
d0e4977c6b6c3bc94cadf510d4ee96a658e89097d53698f21434c6369a2aa785f4c2ca23076470a045a90928b49fc5252550305c420050aa437e206a3c86e866

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
Filesize
25.4MB

MD5
aedcf7c04c4032f0e9e5816e1166f968

SHA1
7f9faa2c46d2b6a968d7f62653d2fc8ee087c5b6

SHA256
5d107f148424113c674767f8940a7262fe9fd9afb3847fdd7e5868b7e29957ea

SHA512
65f3124e958cc797de06e4cc847e99a5fe84ebf4c632d98530360baaca2c9aa7d6d8cfbbd8136ea44a049204864a8e08b18ab4b10149f44d7149585f55381c82

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe
Filesize
1.5MB

MD5
a49dff5b9ebcd48b925ba2c3f3aa3e5f

SHA1
cdf339345abae5c69b1697efd66fafed08c76075

SHA256
3007cd319e20c62ce6deb88e363ae1990fb159b054508cd4bc7c64836fdca263

SHA512
ae3a023ed7a58e82dd1a09d406b92a2ac9e7055bdcf1a579b34a0f07d15989490606b048f71c97666f1a57a13b01961850574855cc8fb842c7bc725b98721eba

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
Filesize
1.7MB

MD5
aa9e7b2506b8fac2705bf05401698f82

SHA1
125e3f4ccf4270e1282cddc530d0e4a279c7983e

SHA256
aafa9a06e9c6405a97c943e5bcc1350defcdd648a199e5226870d4f835de1455

SHA512
cc77a525a278fcdf1e67970a4464de907d6d80d499500bc62c3b36ee0509b72f0c2c54e6168960639d2ca560937efd4dbbd25b37c7d1d677ae9b699a0880605b

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
Filesize
1.7MB

MD5
3fa5ed4503ccd88c44d14aceb4226f61

SHA1
f75049b6aad881138b80cac07cbcf60bda2fc7ff

SHA256
d6bb59df5b8c1db4ce29ab279f724aca52e730664ce01855a16b57a9d2664ccc

SHA512
388c1c1dad9bc8b3c4aa1aaa896af74ea1a4d52caaa878650a525701447073328b6df3d2b30483724daf9c23c47497508da3aac023e2e55f309fa7100eb97c4b

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
Filesize
1.7MB

MD5
4b98a22fbfad3561cd966d1d63a6227b

SHA1
eac3b44a6f4cf1e184934bc3702147d64dac1311

SHA256
7903c09404a57e9dbecd5157bda7652320522d2834cb992e9c7d6363d59b9704

SHA512
130115c782d3e95988c57b62c7d85ab43959668d08ee6ca9d305860fbca71532ff0d6b6b5e4ced23f2c72ce3a17d0e4a0415264156ec67d40ccbe13b6dc6cd5f

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe
Filesize
1.7MB

MD5
65b8ef2555ec42eed874c0e7f4346fd4

SHA1
af996fd40cef6a7070875ee27a48816b3c881ead

SHA256
b33ac24c308bc1e975e71cafab7e6f455eac01fe3f1d7a8dcfa09b465b8edd96

SHA512
0af1387c4060c33dfb3a87cb3de75704c7a9fd9f990d663c96169c97287a462ca9a7209e5d05a032cd8b5dcbef0d4b9206782c549b5c8b9aa1928027aaf1ba95

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
Filesize
1.7MB

MD5
b229893c949bbd449c20b88dd0b9e516

SHA1
3974b0587a95eba40e65c23cdd50e9e1355d5892

SHA256
e8e5a299ddf24164862b228ba5b4b98826a36523fa9d9d5e97eab473949094a5

SHA512
d517230c479fdff5db21ba04ac7b9bfa6d517f59d76d6160eb01e0213ca9249837ea79791d22c9f20bc471dbe33588cc9b4ba4cf6ea78390b07d97bd620cb785

Download Submit
C:\Program Files (x86)\Google\Update\Install\{C1566D4E-90C3-4D8D-8731-8398B4F79F34}\chrome_installer.exe
Filesize
109.5MB

MD5
67773819dbe3f5a7298879284882470c

SHA1
fb996e32fedb9b962408c3f8b6e5b358697f96ad

SHA256
e7cc63549d245550636baf8827d5af530b4bd305874dd689c8e939315511abd4

SHA512
0e16920e07e3799958c4437dfb46939d254f2bca26d4c1a77d5592582fe8f24f080e64e710365e147de6b43b1012921eed7960c7cff2bb549b2dcd9cca2001fc

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
cd90ae199bdc243c8449945c0c199c05

SHA1
9c76ebb53e972ae67e56f092de30d149901fc2cc

SHA256
e6f3bcadcd98ab78689c11f06170a54beaf6b422b90e9373e287ad69811cba7d

SHA512
385bb7c7d634c2d0a14d98e96830ddf8b1f705f927aadfdc59f6b74b3b217bbeaa01bedb2cdacc9cc53a2710ee91f39436afe4680d81e3ec9c04f13fa7dc4da9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
1.7MB

MD5
cbe3eb374c302c294879b041693b6879

SHA1
be5bbb14913a92c662c68ccf058f52ef7485f9d0

SHA256
f07c15d1d390d5eb1848e8636fa2aa4e133a22eb1e16f8177433cea4a3ddae16

SHA512
2ffa312ea29abeac8de90cd01f0f2464b2e2b4c9939ebe76daa6ecf9fede94d5ce85affaeb62a44516735eeb951ff03da9180bcc06209af2055ad6d60c10cb17

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
1.7MB

MD5
eae70baa1ba5fce0efd4535e113c9e32

SHA1
c4c1696a6480ed49f2a97a77dba191b8ed7315fe

SHA256
ad821063ffc40604ffcca8af499aea36a23b7fe3bb16302892c152a185874d48

SHA512
b9f38988d1583858f569e54fa27aa7b11dd262f713f04c8504b8ea8ca39a0a2e13abc73ca2638e6822a3ba0047bab9ca10eb1fbd4f99a21a0d7dc31210d64414

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
8a91755d11c2dd437fb760d91394e24a

SHA1
ba00184c4e37e999d1757d04b4e92d6c33cf8a2b

SHA256
a2b448fba7c181f66b40e28e87a0316af8180e0bffd9f546144497d4c4b98acd

SHA512
1b4fc08e0b230b9ab4491cfffbbea4b9b501d3ed5ebfe01bfaab0842e66ac4fd58097ea1f37db1cc5f36484f1e4284434162a82bc1ffc3a6fda600fffeebe2f5

Download Submit
C:\Program Files\Mozilla Firefox\updater.exe
Filesize
1.9MB

MD5
e0458ff8445d8c44a722286e80ec0e56

SHA1
9cbf38368ecf903c982a7bb667ca32192ea265ff

SHA256
62c704ef80481bfd641c92b82c8b339f46f2d1c35e0740fd374a608d3686ff1e

SHA512
92c8a1ead074fe02fb66e341af18acf1e4f607aec9cc3ed3457ae34127df8853da4ed156c2e98a6030123d6ffbafa726cf78218226ab4a9408014a8c0cfbd3f7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
f5ef3e4ee3137defc0eaf9b0f00d36c0

SHA1
099e3d2ea67c4c02ac1d4df5c62edb907852ed95

SHA256
d18d138915abc638573d07e7c5f88858febb0597db8d66f634870febb0e6c26f

SHA512
573f9152c52cdd4d481aa8910265c6f65f19f7aa13a1244616433ab9d76b6f913684ffdbd758fd54f5f6a2313529dcae9b5e8b3338e52a9c0d92097193b52207

Download Submit
C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe
Filesize
1.9MB

MD5
af982fce9da800be64530665198dfec5

SHA1
78e60e0a52611583e1dea83d8a3ed83b1944636f

SHA256
bbb5304fc66b81b27a3b0d8b260677c20442afa8b680b70d8a524fbcada40974

SHA512
4d16bae061422385559c554732232a2d8f12c415d98e4201bdc89d1b5d70df4d542435c14facd4c40115a5ed113a106d53fe2ae39d28d2c4549071fb937448a7

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
1.5MB

MD5
8069e334a034413659c4525b3d456fa9

SHA1
b397bb876bca9accf5913b136442a7e7f64b60b0

SHA256
753356fcd71a512b29aafd6f2c15a82b992ffb1e01c663ee5eb57b0bae47d0f9

SHA512
18e243e65669b7e65d776d051596a8f059d773ab6b93cee0897ba38dfbc51da6486b157b2ca4444571c6a1348b482a9bbb918df95ba50ee1360355fa452b1e78

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
e3d370849c4de137aa740d49633ee424

SHA1
659578518a37910257aec836ba0a304bb6cff9b9

SHA256
a3f8b6cac731f73737cd709e05a73de57297cf3ec19dcdba079da9e85b7def09

SHA512
3b39577575ce8afacba499f535891452714c1573d383e54cca9c1d19d2bf951ecb79a4416bcc1c5d43941e1b672fe9419fa030e8a2f4d6af4631f6a4cd7eb5e2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
1.5MB

MD5
44df31cfa2cd26d4c5eae5b40f318138

SHA1
887e7e019efaa655d4a90a34bf9de51c7c608db5

SHA256
00f5ab3349ed120db7f6961dc953402d9e9400891bc2cff51c0afcb2099ca29e

SHA512
a94957beb9a94d186c473859a9257134993dfbb3a4b42b59988274ac7252dffac14f7cdf1696806f91ab692e89f1e5e77f5824e7eed64830ee019be7d21455b3

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
58fec6f82ae268715859e93c68f43059

SHA1
4c3fe6b4673da93c476f4cd075554055285d178f

SHA256
bee3fc2e800395c025c78293f76ec24494d17e2d2745f48740af9cacf5c56e5e

SHA512
9f245c56b926d77dd94e6311556d9adbc72a8914d3c65f8e9bf428ac655121faaf8f84bc08f1f140b6572a8172faf8dac440aa8701e411da348f3f6a0e46b34e

Download Submit
C:\Windows\System32\Locator.exe
Filesize
1.5MB

MD5
25384afca2ec4065650ff734ed4ce54e

SHA1
8a8574469baff726dd8436e0400753d19f76a335

SHA256
93672729e88fa84962249c6279b22a061b265fbc9d62fc80508e44c37c51fb3b

SHA512
36afd9bc72bb16b8d8d1d39f674ff617d976e50e20e6835591ef98703123aef34ddb2a4481b83e438b3fa92574175402a600c64aa474a2378b4bf06c590dcce1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
1.8MB

MD5
1d7ad0f2a77dcb22db4d3e681801252d

SHA1
d956fa065a051cf070d8e4cfa117b2ce1cc94a4d

SHA256
395a8c4304a77b60988b2b346ac834016e4049db77789540f786bd7b772db671

SHA512
ac6dcdcf85e7f2b92d2fcf5eadab8563444fdfd7884295640fc6b30248090ee7083d4c62ce58e46267cdff2b86ccd3b48aa027b07d3de52643f3e95d055e742e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
1.6MB

MD5
352797d5267f7796928863aeca51caec

SHA1
1f7f09b5f1bd1d54d0402abb9b9957d5e3c4c770

SHA256
462f076aa80029b06f1c6b7c021d317d1cd10a4e69932ed02f7858b182b30046

SHA512
317732f3a3e4fba10e410d255728bf7f8ff382f6b99922d4f5b44d581a45b5da3820169dc01ad9dc2b079fcc3240e198d0329f22ca22b1c03676f8bedc2d7606

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
a619ab4d4026986f6f17f29925cca55b

SHA1
8994a18c94e2ddac6c40b78434f9d059488c6add

SHA256
9028b802feebfcd165cd8ac5b591ff1039e622b3474c31476d4be08f82d8a900

SHA512
803137dfb0b3a6507910f2f0b5043e89e2c9d920ec9601dd5dd2b9d6cc7849ba3b55701f7b2b24174574bc37073600d7ed385e602e8f10f1db070638bb23915c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
0949c5e760f1eef9c6670dcfd8d82a1d

SHA1
2b22905cd02c0f6b4d92164eafa7da83407cbee5

SHA256
2a14bb6d3bc27e8e0a863c29c3671477509343343bd5b97a500fd9b0eb4a5a1d

SHA512
8d0f3ac67b43980fe6db8ca1a29c6825ead6a60229b2b4682f674c4c793b343671d34e494aa99e6f5624bd00c8c66026ffdd05f6e25c75199b837368c863de08

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
2097f8eddd717a6f26af7aec1c4ccdb1

SHA1
3c4e1e4cadb3884266841cfd76582c1efdf5b2be

SHA256
07ddb805ba3fbdae6c55c4a6c73478415947e85e2a5f9d2b2fdbdeb01bea1115

SHA512
05aef8b81967d905dfae2e28949eee1de0e52d74d52adf2158e43479901d75aeedfabaacd5d9ef0dbd66a244d48c74b428cc0bf3b6416398ba32290c5326347e

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
1.8MB

MD5
ca125987f242b1d1f2cc352aca11c650

SHA1
de064f2e778e95aa3349092e42e24cdd49f5e9e0

SHA256
cb89679b4af63c4231e523a1105a803184fad1522109b862f5e72997af7cfca8

SHA512
0b64526b969427910f55bfd6019dc25f3c594858f3ef40fad5c819025f521e0a75d02d9c5540dffabaa77f9af6463b5a90dd5e8d1a71dca3099e5bcf8be3603c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
fd8d52edb25dc5d3b304bfcf405e5dcc

SHA1
624d62117c85cfe48652c3f13ca951b5b6864969

SHA256
f7ae88ef459e4bb415e69c20e35bbbf20326266f9d906fc1b08385234f6bafde

SHA512
72d8b745d933afd43aa77db04e9bd2c6544ecabddf4de1031b05e7cd56b2d3a63a825ca60d4c09a6a76187f72e2370adc4188d178373f5f3239e05ab707fe8df

Download Submit
C:\Windows\System32\alg.exe
Filesize
1.5MB

MD5
83d15a8d42d221e5cc3574f28221c948

SHA1
d239929657329ebc22fd38870f78f47186a0baef

SHA256
6329fc524cc6df6754464cfdf98951bbe13d58d1093695f795e1ba9208eea60e

SHA512
86c9230c54e21dada1f6bb49efefd293fdd841bd58942b6d466c2c62cd514e9449c61113c7ca05146ca8e3920c057db28766c0f7226ad1c3beb40859335c0979

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
1.6MB

MD5
da88b9b32a73f70e2546afe5625dc900

SHA1
9734af8fdeac2a6f84ddcf50020ecbcd977f48a5

SHA256
c82f1b11b50771b6bdb9626c06da79fe9b689b8be0ab25f919258a45c6fc626a

SHA512
1da53a92e662884e6bde7f00ea6586add0006b159b01e2363e31f40876036ee62f7e60bd96136d452849a3c1364bb97b073afac6eec8557262e06d9cfc9bdfce

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
1.5MB

MD5
3e16910b077bc3f02aaed7a07040b974

SHA1
79d7a16919e4c7880acf8af8c54b9759895f091f

SHA256
5efaefb7975e2234fcea3363e937a0ad718809534cc90e57f1700fec33a37d84

SHA512
ef4efe0d695e622337bcbf7250b4a7cf5cc6c5f2b4edf0f775fe66e04a8789e008c1cb52a21db14beec33433846cd54162e111ef82deeb183e83a0abf8bfe53b

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
6938568ba16ccb1c787eae7e6c7b29f8

SHA1
e90966e9dda2c9713a8fe73d2c882e050c28fb95

SHA256
66f51ed111eee98a8546e5b228b4d5f2cd87b15d264c4752624e61a131b6995b

SHA512
fc02a9f00ac572766c10e7b737fcb426a8bc987fb326f4aaadfd1688a304c29ecebd8d8411de19a8cc70b47731350cf23b2276333a4b9507c94ac2d700834a86

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
1.7MB

MD5
a620ee9af1de6215d4a101007ea01159

SHA1
afb08753090d996d0feb779f8a0afdfcd06356fe

SHA256
4a85f1d543ee7ffd441174ff8eca4091445de619bf6d26ca039e9b4ef1cfa11f

SHA512
432d8e6a730bf7e1c6fa168610aab84a0a1f0d6650a922ac580f9b6a9a1b874eb7fea6ff6324ecd2440394138682713fa6546a9eed8b55cc023f386a92c8af4f

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
2eff0f4cbc65441019be451182d184ec

SHA1
696b4973171b67b4e8d24e90865c4b653bcf18be

SHA256
a23d138cb3fab54609fc3fe8d62357fd8b6a81de79c33b70624a5ae9c65d65a3

SHA512
93954a0f1f8fe8410f27a4d3ce1f4192064dfa17bca1b7ee39c0d9d1902a2f9d3ace47fc766b973c43a1eba213a21ded80fe364520efc35be43b8c57ffea8879

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
7a2752dc4f944d643f4d2b8a55d117f0

SHA1
68aecd4f0d89c011ce2c4c22fcb385e088ec926e

SHA256
d5d037b58612bec3efd4547629305034012e0ee81affb6c4e13c921d197367d7

SHA512
3f13ee64a1c0da69767a8753695d018baa8d40ed1f2fb253b9fcaebcfbdf29ae8ab36bd471c16e6f517fc716de880651e9cbc722287bd389745cf4f5ab781d1d

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
1.8MB

MD5
2bcc30cfc3568b10ebeac131726ec30e

SHA1
9ec3ec99c94edba92043224bbb77aa1ab331d884

SHA256
42ced358dffa49189284cf7a9c52ceb5905f3a491310ad35676ebb4c357e01f7

SHA512
c2a7b19c3a8b045f60eb67a8be25b78749f3df92504dc71f94caad9c5aabef988e0882dc36eefc6fe803e96a5b31be08ccc445404821ca6bf2d7b033e9bd6e82

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
1.5MB

MD5
bbd125dfcc08c9b2c834d483d58e68ff

SHA1
c61ebe0cef54ef1563df4b4e0567ed96311f3653

SHA256
1bcfe1d72dc5fd6569dc1f43d4fc608cc0867ac199ce119692fe0fe3c7a28fd1

SHA512
fa5860b10efe927999f2c7f613d146fbf45afafba190bd781c4d119e514f5bc6cdfb2df04aa29cdf54385d5d82bf1513b9ba3f6e395b4dca34d5f6927a9b47c1

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1032-316-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1032-609-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/1144-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1144-521-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1148-312-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1148-608-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1332-336-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1332-517-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1332-214-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1468-251-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1508-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1508-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1508-250-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1508-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1552-201-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1552-315-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1584-300-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1584-195-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/1996-518-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1996-262-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/3324-275-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3324-278-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3648-301-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3648-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3804-198-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/4100-174-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4100-289-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4264-224-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4264-513-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/4332-123-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4332-237-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4332-125-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4332-117-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4480-97-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4480-93-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4480-102-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4480-186-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4508-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4508-610-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4516-87-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4516-88-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4516-45-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4516-185-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4644-143-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4644-144-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4644-155-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4644-153-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4644-150-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4780-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4780-128-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4780-105-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4780-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4780-114-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4784-466-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4784-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4784-158-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4784-6-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/4784-1-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/4924-159-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/4924-160-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4924-273-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/5068-514-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5068-238-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download