36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 20:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
Size

1.8MB
MD5

61bdddd3444b7d96d9dad249400932aa
SHA1

e4f354d0977f114c1d4c3be559c19b75d2cb5375
SHA256

36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8
SHA512

e8efc2529587630ab9ed5b3e92266d61b4dbe4a55dd5291c24869317f18bbff651d6b60a47a4d40bb616e5ef36a53c7dabebf4137aa5fc66fc13e4618f49ffd0
SSDEEP

49152:uKJ0WR7AFPyyiSruXKpk3WFDL9zxnSYisGcnlQHPxi:uKlBAFPydSS6W6X9lnpnlS

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 18 IoCs

pid	Process
4884	alg.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
3388	fxssvc.exe
3980	elevation_service.exe
1688	elevation_service.exe
1572	maintenanceservice.exe
1568	msdtc.exe
2204	OSE.EXE
4004	PerceptionSimulationService.exe
5008	perfhost.exe
5032	locator.exe
400	SensorDataService.exe
2800	snmptrap.exe
224	spectrum.exe
3896	AgentService.exe
2260	vssvc.exe
4076	WmiApSrv.exe
1104	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\453292567489627c.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\System32\msdtc.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\System32\alg.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\locator.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C4D.tmp\goopdateres_kn.dll	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C4D.tmp\goopdateres_it.dll	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101187\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C4D.tmp\goopdateres_ar.dll	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3C4D.tmp\goopdateres_th.dll	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023532956989dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b4f1b53989dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6604d53989dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046671d56989dda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cda0553989dda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023020d53989dda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe
2332	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1080	36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
Token: SeAuditPrivilege	3388	fxssvc.exe
Token: SeAssignPrimaryTokenPrivilege	3896	AgentService.exe
Token: SeRestorePrivilege	4792	TieringEngineService.exe
Token: SeManageVolumePrivilege	4792	TieringEngineService.exe
Token: SeBackupPrivilege	2260	vssvc.exe
Token: SeRestorePrivilege	2260	vssvc.exe
Token: SeAuditPrivilege	2260	vssvc.exe
Token: SeBackupPrivilege	5048	wbengine.exe
Token: SeRestorePrivilege	5048	wbengine.exe
Token: SeSecurityPrivilege	5048	wbengine.exe
Token: 33	1104	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1104	SearchIndexer.exe
Token: SeDebugPrivilege	4884	alg.exe
Token: SeDebugPrivilege	4884	alg.exe
Token: SeDebugPrivilege	4884	alg.exe
Token: SeDebugPrivilege	2332	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 2988	1104	SearchIndexer.exe	111
PID 1104 wrote to memory of 2988	1104	SearchIndexer.exe	111
PID 1104 wrote to memory of 4564	1104	SearchIndexer.exe	113
PID 1104 wrote to memory of 4564	1104	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe
"C:\Users\Admin\AppData\Local\Temp\36508913ba968f2b8fd3b6b48b317870e277a83adaab1d185195876357fd6eb8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2340

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1688

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1568

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2204

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4004

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:400

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:224

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:3192

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2380

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2988
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

Filesize
25.4MB

MD5
36418afe727b2e84ba7d390c812e794a

SHA1
5055c4f4de040b6e34d85e95d7427201a738b1cb

SHA256
4334e37424d6d0f197ffb9906900b938fd3b147c426e08a56c82a2e214625a08

SHA512
4a06026e49a30c0501aaf8f914c6990a972c039f62ce42d8e97762afa3dd46d52c14d3cccd182c3160a5a7e489b9923bf4e7c65424818cdf0277dfe97709d973

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe

Filesize
1.2MB

MD5
a8bcc0c0abd4ee1b6eecec2bb32eb9e1

SHA1
cec3f6cabe61676ac1b51e841b264d7ec924d6cf

SHA256
4056ec2c55c093d71eea6dca950373c56b24c83f8afd46f806eae2c8d32ecd05

SHA512
565e8b137b823f9bc0a43e13eb0a9565e36949b7d3ac690960df34a8c9b8a7ed11d841682c78aa512f7bb237493236db9ed394cde0a6daac6721977804a4c180

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe

Filesize
1.2MB

MD5
8ff14578ca6bffeb5e557a31018387dd

SHA1
d9c1643b9227393641407439fabef8ba5ae136b9

SHA256
6dc9a4b334bf3aa7ceb9471674545f795f7241c0c42e7673fb19d2cfc9af232f

SHA512
d3f0d30bdb9bd479f3fcc3f8d7feb98f51d9210edb65986f5a4c5cc98af3a4757d2b7cea134a52aa47bbc545abbd24df7648e7b426e03b0e030f9bb051381df2

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe

Filesize
6.2MB

MD5
8b3fe6774938cc80a1c2831cfc8e62c1

SHA1
0c97b8ae33fc9fd95599135c6a14a1cc4b740075

SHA256
612c2a2acd473e77ebdaf935ac1afc9dbbfcb3ef0821d19f4988a3bdbbe69d44

SHA512
a82fe9f104ec2d0f157b8d5ef76bedc56b16abb623ac3fa92e47eddbc5e573d5a32e8e0ccf2d0f4f14fad0a711d934a2eb5f928d01cd15fcdb1dbea9593e4d29

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe

Filesize
1.2MB

MD5
dd4dc6f3b550eb4de5e0422d25ab491b

SHA1
7e3571d1ccc17ca8000a9da980237f786bf4264f

SHA256
9a8021ae94876711d3f5cf4aff16a3bab305ba9f3cab256c6992099a99c5f95e

SHA512
9155b8134028802e9dcbf0de8a696c996b259ff0d01552c8f8440de494942309e8a028c5bd479508a7bc7bb6e49764f0abed7434948327b540607502b8214570

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe

Filesize
1.5MB

MD5
b39ecb8417e30b1a37278b738ce8bab6

SHA1
410b72979c9319a112922ca683421b75d50032ec

SHA256
0c4703e02185d48612db2069d3a7232481f32767b6f9efa24970993a55656788

SHA512
0a994f9ee020255bbaa99b809ab86d07a35320824d40f6905324b10c572f302c88b9493a2e7629f7531020ea1d3b200fe4646d780159fdffbc343d7cc4104234

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe

Filesize
1.2MB

MD5
4e15b3621e11854147dfd1c057592e1b

SHA1
00c31009fcf2590f96f02055e5ab6e965d6ed602

SHA256
18d524b28d44e46e7a459ac46c6106b8759a64faece70c197e2fc98f8cfac30f

SHA512
4c267282bd07e21ff397362b9ea6a2de2c6fea9a348fe9cf4dae1457ecf3d1aa48b1d7fc7cfa154beadd5f25e85980e1dc8c6ca8e377be021ecc87f3516b3367

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe

Filesize
1.2MB

MD5
2a9c87a4d1fde19aa9e93678fdf1927e

SHA1
b4f2fd72f9336b5b593dc7ec20331bab74d319a3

SHA256
aa5a3413fe2c28d385955c4ae0894bf59e4d6f5a09d474eacf845ffea2295e4e

SHA512
70c1bd33914f06d0f02f7f95b22a93da9948b89dcd05852200b79a0a1e516033612277e31a3cb8f16573396a9f8f56c0cc5c40282600475cd46a494cc3116f0a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

Filesize
1.2MB

MD5
3dac8839f602dd0ecd34bba4251a5dc7

SHA1
4ac5ad1464e57b79b1ce0e5ac9281ccbf9dfc9a6

SHA256
912a8cbc1c26efa67ece5a77da895e4359ef3feb422d25a845c484f45e0b19f7

SHA512
d810585b41fe1dbf0239d2fce9c8755230e5fd361fbc253dcf863c4d66b773e06c24508da9d457ecb49a6bd0f86157cd6fe6016eca46f82f931c635383b628f0

Download Submit
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe

Filesize
1.5MB

MD5
6dba9168c1486d6a7ec5d2b841419f6e

SHA1
9432cba9c43a2f59957559b906d2d268ae574abf

SHA256
d4011f42b270437b9c7eb763959697c83d59851023019b37baa87ca11ce6aa43

SHA512
b08ed5460891b6e0811bf63201aa5ffcc795d7b980305a20dae811585c2dd619e8222513c531c449fe675fc014f1e5ce73b7a4c4a24f833d75a899b4a7b7af3a

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe

Filesize
1.7MB

MD5
2f7da195d2bf8c43c311bb3e097c14f6

SHA1
2617e7ca8b7dd878a6b75f9d4f56334b206ef838

SHA256
a88b0dd72db300e56ca2edb4e63596cf6a80e8c8568e5871fde2addd4b98b0b7

SHA512
9e05f583fd7c29ea6579533d2cd1cb479a48e8927f8932dd96dd0fd703bc5416153502263cee27c0ad252b40c103dc229570bbd457833ad109e24b477696c40b

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe

Filesize
1.3MB

MD5
89e5b6ab1227a4e8d57dda9fe967285e

SHA1
e2c0bb78e87ca97298411ac84d90d39d39d5fee3

SHA256
7d542d6442b97be6e21728c10cfdd307ab098d00ee169e43e045dede8d8aa821

SHA512
447a1790cea4a3166a36d4eb82cb6b98ffc3cefa70e2a69d7746b464add29cf01b250ae8c46bf1445faee710497b7364fb89ff18bcf918652e504d26c917742d

Download Submit
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe

Filesize
1.4MB

MD5
83108876abc12913265c991aad74e56e

SHA1
b2abeaaab7131df62ce1a12a18967fa00f73fbde

SHA256
9e16423b9d53eeb69a81cfe23ee47fbeffe5eac670f754cb7b6cf6a961ce5e4f

SHA512
c6c6903e20102f5c4f50865124dc1c60775fe82eaf33eb3cc24dd360e49e8491392d576920c71ca64f79201327ec1e8b93fd5e591212cb0e5ccce3593da58c97

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe

Filesize
1.4MB

MD5
2c79bc3266e576d96406a64f96e17c31

SHA1
c876389a9140d776f26b9dfb1a1d4b92a139b423

SHA256
548ee3d319de85c27acbf69427fcccab72faa01073eaa5c975ef7118d79812e4

SHA512
fda749c5e4e1003b3a047f67f9eb36ab79b5ee8992ec6ab58d2e99d2397a009bb579949198c8fda59de176930cc4ad28adbf4bbf022c59f71337c5a087dd1620

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe

Filesize
1.5MB

MD5
2c386d7150c2e1387b245d83123c6ba3

SHA1
b961c4f3ad41778977863e770cb41530b3803520

SHA256
0796300ef7e48a95ad3bb1c59beecf1720543b0dc10792461ced770550f1d372

SHA512
9632b609529f6331179bf5c7b19dbceea46f228241335c69f07a8e8708b4cf3f1aade99a1d11dad96fc16830dc1dd7b1edbe69440565710ac612a848f5f3e9b8

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe

Filesize
1.3MB

MD5
16c39ba449a2859d1c5b0a9d4420cffc

SHA1
d027b0376bc92ac41693a793180fe0560c9fdc38

SHA256
b4ed76f5c7eb9d4a45ba41d7d29d96840db37c4502c105df40ce110befd01599

SHA512
fe989ff9ae1562bdfb721aa5bc85ebe22566adf9c148b7251fed7f7f431c980b4aad94478ce7b12e01e3dcc091065667c5e013c8b658f7976fefec64794d8a17

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe

Filesize
1.2MB

MD5
e0c7d99982c5a1930f68aabfc359c3ed

SHA1
17276bb974b03ed67add7ed2d52c0c3a9fe80a3d

SHA256
ebc86c4ec73f373dad583fc167c39a2756dbfe4be5b38f3d64f2e213ed616b07

SHA512
f938a210bc4454677b9864015c8185626b77afd41fa0529181a85f7d1480fe460b341af22032218553722b884f3c9e34a1d4445d019ed675c976f3c6a5537452

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe

Filesize
1.3MB

MD5
0c9dd465b2c4ee8d817bf4ebf9695e90

SHA1
73eab9c0dbdac6d7ca2f2665425230fb56f671b5

SHA256
c02eb30a097a28e6bc98a84a0cf2e973c98b9e8b095e77bbe8ab97d800a01b87

SHA512
20605553d756460dacbf608bc14d94ef061adbdce90e78af680f42f52e3c02958db847978a6aad6936778ef917dca405c7ece525f6994d0c445e3f4379448b76

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe

Filesize
1.2MB

MD5
0c77ed94584ea0fce9ade012819dbb0a

SHA1
a4ef87274b893e658b254f170d95c4aeb461679d

SHA256
e0ef92763ef9746f53d56b8258f41806518ec0983ba532be51a94cee33218b46

SHA512
f2ca213c14739eef563c00d7c2ee69d1bbf1e67f8c5b0017399130dada9d0ef13c31e54a41c5543cec08060e94ce6b15fc1c2a7a0b5ce7d9a9d396816f3935a7

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

Filesize
1.3MB

MD5
4697c72fd7a18c6d3f621a7c7a7f52c2

SHA1
6b0f01d788a56bda27f97907487e153f6a5a9ead

SHA256
9d084f87e08f4e57bfe1a21bf0e91f84d12b19e29d536c63047c5beeb62ddb28

SHA512
60082f3f97c9d8e56a33a0260a356a0b9c5fb7b24814ee37ae894b4a9eeb8dfde9ee6eabda06a66951a8a1b2f0ce23c6ce14370550a4f37d5dbaa68dbb8a4c10

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a34ddfe92e8744061f3ded9490aaff50

SHA1
4dbdcc3df3e9d58d0b99a7bc14235197db69b595

SHA256
89334fe71f1441d79d2773cbfe135f593f217a443197536ee2d83957dab49037

SHA512
45bc33e887192913aadf0fe4536261785726bf84dfd783c760b59ffa6b6fd646b93b3771059dff0246ba7bdfa8d01d15355686930f40ebecbc13d16a40682aed

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
6e5193616a8a69fcb81639a2adddffcc

SHA1
24ab6f3bf97e8a80553146b47c467c7ba3d2e777

SHA256
e0be6d67e8d16f373990a6efa9747941ce425962bdd6ce5fc9d4ea36db8a8315

SHA512
647bebd4f1573b6cc05c571a62d51ec9ae94dcb8f0714e658909791250d590cf4b5b17d2a99266b3f9f28404c6d6512db9a22f98ebb478877598cad863c63e78

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4dad7b15ac5543aaa2a72095171bd3d9

SHA1
e61c42f6631318bc80ed2cbe163f99e038ef4db5

SHA256
63d686dc438214aa2da859e467a98867d88ba9ed59b3184323f720ba3c9c4bda

SHA512
36be1032ed564c8028f739e40001de398e5db82fbf22b013aa21c521d4832134b17f5d6d12b0fd28dccc9023497a1a7d52b10573c85ae8d313d3aff16b2b7b73

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
264012a3cd2498519eb822ea942aacd3

SHA1
574384c13a938ad15451d76f133acb4329186bfa

SHA256
184a10fabf41cc70f79c8dc230ac748e025af8dea75df2f3b7184a23caa353ea

SHA512
ad5c6658d2d7885ef559fd4f8596492cfe1e6c2d6c2b85c0e6e20571653cba8141624c5f1a4274b24a85ffa86d14672e0d97ae6031827fe52e3e416bc19a2da7

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
63a2e0b4e7a987f9eff1de28b429f5c0

SHA1
03da8f7274496c5321f003a3b2ac32418c7c340b

SHA256
0abf3637e731683a521e802cfb7f654972992cad7c0171e3167bde6390f63662

SHA512
0d7d0709bfebde7cd5a44e4f99cf35528f9a591a9a14e413fa80c482536df73b706303c0777346172f50ded2a4460d404ee0cbaa7f664b7247c21cdfb6e4b4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1326710175\zmstage.exe

Filesize
5.9MB

MD5
7833f3f1889b0dcc9741cc7d74cb3821

SHA1
6349972fc225f3fd325f461aee4ace3e49ddc779

SHA256
97b2c6eacdbd816dc0ef697e89d4f0ad38cdfd2a8076819e504fe2b81ee52f90

SHA512
17398434d6eec7074830dd8a62431f51648271ae7ea7646ccb2a66b32cfacdfcbba66b2b4d1ef85da7ac22b80b9abbcafcddddfe5cfaa935dd3ba3f626aa65f9

Download Submit
C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe

Filesize
1.6MB

MD5
8baf35d34e73469a1bce7511033f6d3b

SHA1
656a00a4cb55dd3a784cc44a758fbf24851bc5e0

SHA256
753c457b9eb5893ec53bb4f096c700132e73bcd06ddfe8900545d2705406f1ca

SHA512
677e910b864a72f2b0bca0f30b22324b06722a7b342c1e7e4be3b95e7ded72724c4e511f017e9eff4fb381f313c04bf01f6aa182f5fe50d2ea288302689367ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0da4d8a43dfeb3b05b40be13426776f3

SHA1
dd6bf671082518e3ba57f82774f1dd10ff64236e

SHA256
f2e89c550d762f9594ee58601f194977de9474123e73a34818f176e8a3941cef

SHA512
7e6c5f8c9b8130e49614d97ecf7d2b1ae18cf1f896b9475a807dd98b3a4d89d6dd06f31ae456d5c939b8323beeb11f9b08997b5aeb64a33fe794d8a329c0b77f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5e180f3999236bdc21a5f0e30ecbf75d

SHA1
0ed2ffc87896e0088467d47430c0cb1b967edfa2

SHA256
844ae0b23022b760e264ba8525bc215093fc264b75bc6d553eac2af0f7b08ab5

SHA512
1229d5a24b6a42033043e88e7f1845b7cda216de7d2c939538122ce4097b3819b49164b52bfadf7356d8b0d3267493d60f5efe36dfee15fa59c0499a1c461c61

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
ad8875149b2d9a6de27fa20aadbaeb62

SHA1
02a1d5706d22787361d2dc2f5871f66b43d999d1

SHA256
607a97c0aefc01e6edf982e82b8f95fcca24cd1f0818fb456cd5785a89e7cf46

SHA512
6f3a09735ac887adc62e1a2c4abcd9f49285138ebac1d2484653ee8204f402fa4eebbc46e79636ffe734a1c5a0922084df85222cc0a0a302fcaefa7114567cc0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d74dbd8aa72dee7a54ba3f359ec5f3ad

SHA1
b5bab4c1f0176d7c81a6b3f718fc7f4d887ca2cc

SHA256
6d2eba6fee0162641007e8c17fd13c8d5963cc158c12c559a1f02d3937f0352c

SHA512
1a746e09fc441f059e2d4a95f0c1073fa95edc5b262a4974a76c074d8b64f52a441e76fefe34a72ee5f3c85a802e9184b646f0ec32343680f5f165a61f371131

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f1ca3648ec8f8b223a826b715edcf0ca

SHA1
316e1de8ce3474ace662ef44aed93c29f1ddcc4a

SHA256
da854bbf251cacef812d941f3b5dfdd9b85b6793918227a76e487ddbf73ef1c1

SHA512
424cd2131952329b89069c8983e05d307091f0581435593c92b5fdd2fdd1285ec74fed9d2fb9a05946e2bac00dd6fc5fb67924c3dc56a2d3e6d8de269edc0368

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
966947445deecf113f2f2aa5906c0a48

SHA1
58b0a488413cb741c8a21bb7067e97888c4f220d

SHA256
8efc4d336386eb700a3c9bb8a72d7c7ec704fc128ef0b9c1980b3308228a9cc9

SHA512
a9b88589f8fe54f235ca40d2efbb3f3d08b5545c597c3887587d15163d1c7a3bedd5bb41a4b52b29c24ab6f378d621c9b58bacb6c87dccec2ee23298d064deb2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e1a109170c553d035850e395ad61e1f2

SHA1
4b416cbee3eb4eb31605365f7fe07f819f8ca62a

SHA256
aac03fd158bbb2b37090159fc7c29c969922eea20a5236c66cbc076344623142

SHA512
e6c36f8f83fdc5f6e292b0224c73450d40efd8983dc5ca1cf0744ffed6f7b60fea2f17283877a7ffa821c7d6fad98b83c5ac8475a25d17fbbb216a0e087d1c0b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a4f115234182ca7911fda92004444684

SHA1
1f46647e966cc060a31cfe529f824dc1a89450f1

SHA256
6f89fd8d99e6fd921cca397016b779587daa2029603fe44e5b553ae3f9c0c9a1

SHA512
6fa1b993998e519898af231a9a4ce9e3bcb6d8f120ca8dc782c196ef5193f204e6fb38d8ce433b3d80a62ef006e7cae02faaa92281c85b0aad6638e4ddd3b7eb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f3d70d1b8a9e8b6c0931f8338a9e2dfb

SHA1
5494d7b577e79565eeb98648e62f2d81fe432327

SHA256
ffd4e74a06c7e7384e78a84e422cbd0105a25ac9e85d8ce03a2b62a3cb9c549d

SHA512
ab04e976d8f59b709a7e4d668bf6d23a3c414a79ff5d4ebd54a4a400b211008e48e3854937ee3781625304ab68410b16c21618af51e2ff1b4967ffe86abf6986

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fc022bf9bb68311c55404b4d7ba9586f

SHA1
cd2d39be3538e2df888c7c082d6a43cee3a95b94

SHA256
9ba22646b58c6a6e96e1e21316adebb79eddbad8615f5483387201eea9a84303

SHA512
402b77f2c3bf048ff865f871cd1e948793aae02e0127ced8bd3484a0a717727d5c38d83df464419bef55ce5b1e687a5051d017349479bfbd5bd086b4ffa52b8b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
b07376ecedeba38998070ec30185e475

SHA1
219edda6a7698a08a426a25494515f2c0a8d3a44

SHA256
29dd30864e06c14987c54685f34fbdb143950466c95296edc82063bc2a2c50e5

SHA512
3aec954c4260c76c1125f0d600e301f362258b937c0d384a6468d1fcc066b77049424fe326c35ab85e2fd8187038c8a285fb6b97b3b92994e2e1d42b7b7e002f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
4bc4f784b1320bcca49355a3863e180d

SHA1
fad3d9353d2e5d2e96530d98fa3f7fb5f929c0f9

SHA256
b5685549dd84a839eb6679fb9e3ffe4f2dce52439f22ae9e657a0b9279a536e4

SHA512
7a50daf892fa921758636756d91d89fd3247ad4f2173488bed714cdfc9de09cab9caff87da1fbbcb785d5d94d9e99e2cd8ae9e01401046fb7ac897a5f340c771

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
8b3e51a26542bcededd2fe7f82fd1f62

SHA1
9aeb3fbd1029b113d47caf7125a8fc65c9dce3c3

SHA256
c18ab71bd5755a9218c4fd13f68fe4f71fe951b0527694886edea7cc653e8844

SHA512
03183ef9a32096888bc1b389368e5427101cb962396515b459b242eaa11137cc6579f276a8d1f284f2550c7ce013eefe613c75c22548a0f2780fa1610d63e1f3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
c7c808dd8b6371a3601931a4d4c42b20

SHA1
62267f8aa82f5f7490844094c58daae69cc1d561

SHA256
e3979c41bcf003fa9714f7d1dc0e232c283433ce6eb0499b18e07b7a7a083d4c

SHA512
6c52f05338485ea4f699295cad23b3d801d1adf888d6e841b2d1ab7c49a27c08b8449edff786630d296834ed911d7760298cf363994aea89b207abc66a6e9e02

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
02ea3a4d34f5407f107f912c6dd778c8

SHA1
7573b3e6c3c11197d1ee055b05f725fe9535006b

SHA256
bf8931d27ee785297636138268dc1c8bf59ae52a140521444f752b51e1640606

SHA512
ce0c514ad9cb754db0d4a62ff44ed5d16ea470bf8065badc7bdd5f87d19b0991b619da48329a7e228a7c847429aa53482e42cdaf1ead2d78df6d50d42a3e2f5c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
80a406ed4e44fa79d6474f22aa2a2863

SHA1
031a493fbb2c73a0229fe2700e410b97b8a97994

SHA256
871159146317fb1ce56507f26add0179c75b7ed74d0cb3d7db23a8d542957e75

SHA512
d67a42ec6b823d7689401f019d884e7465eb36edf66a9f13c2ec5a96b48f70307c89cb929d0982d2b51ae8a82cc87c15708366e74fdb3bb0cc46b162de4b6603

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
0ad26b821c59a0de27910f3dffdef200

SHA1
492f4a7fe71c69c9388ad7466bf6ca96ad887775

SHA256
e082997e226a45c3839975fa556c401eb7287deb18b09bdfdba0212b30184d6d

SHA512
98f10a4f3c88c7da57bb752374ea88eee8ee95a0fad44cb5c33c205dc692bc9fb781f875369e297b8379cee6746fd69f46ad63299dc4571f36731400f9aeb615

Download Submit
memory/224-281-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/224-600-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/400-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/400-513-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/620-601-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/620-285-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1080-6-0x0000000000760000-0x00000000007C6000-memory.dmp

Filesize
408KB

Download
memory/1080-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1080-1-0x0000000000760000-0x00000000007C6000-memory.dmp

Filesize
408KB

Download
memory/1080-485-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1080-391-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/1104-605-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1104-322-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1568-151-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1568-157-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1568-277-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1572-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1572-138-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1572-159-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1572-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1688-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1688-127-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1688-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1688-599-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2204-274-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2260-286-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2260-602-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2332-93-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2332-102-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2332-101-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/2800-280-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3192-282-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3388-164-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3388-111-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3388-106-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3388-165-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/3388-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3896-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3980-597-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3980-116-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/3980-125-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3980-122-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4004-275-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/4076-311-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4076-603-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4792-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4884-596-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4884-19-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4884-11-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4884-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/5008-276-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/5032-278-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/5048-312-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5048-604-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download