7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
Size

2.2MB
MD5

ab8da36253a690683510b75b9a7ac21b
SHA1

a0f2ec6c579f84944d7d41b0dad2b73f26e4ef47
SHA256

7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f
SHA512

a0baf2a41216f6851c7eae3d70b4c7abdfc1739e9a0e362913501b0d2e1f18805427564adc64c946b60e986fd38fe7e6483442ce9578e3153db2b756b65b30f6
SSDEEP

49152:yiZGXN3TB+Tny6cGlwlfXT5Xzw1Ae30jaNf1TWbdz:1ZON39+OM0fD5Dw1AU023W

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
1568	alg.exe
1264	DiagnosticsHub.StandardCollector.Service.exe
4748	fxssvc.exe
2432	elevation_service.exe
2116	elevation_service.exe
3500	maintenanceservice.exe
3112	msdtc.exe
1344	OSE.EXE
2996	PerceptionSimulationService.exe
1652	perfhost.exe
1440	locator.exe
4880	SensorDataService.exe
2696	snmptrap.exe
2688	spectrum.exe
3772	ssh-agent.exe
4344	TieringEngineService.exe
3408	AgentService.exe
1580	vds.exe
1288	vssvc.exe
2480	wbengine.exe
3092	WmiApSrv.exe
4936	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

Processes:

7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exealg.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\msdtc.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\312ef1f689a4da0b.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\System32\vds.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exealg.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_101453\java.exe	alg.exe

Drops file in Windows directory 3 IoCs

Processes:

msdtc.exealg.exe7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exeSearchIndexer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000925025a8d3ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab0fe1a6d3ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009325b6a6d3ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063780da8d3ceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008acf61a7d3ceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe

pid	process
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

636
636

pid	process
636
636

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exealg.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
Token: SeDebugPrivilege	4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
Token: SeAuditPrivilege	4748	fxssvc.exe
Token: SeRestorePrivilege	4344	TieringEngineService.exe
Token: SeManageVolumePrivilege	4344	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3408	AgentService.exe
Token: SeBackupPrivilege	1288	vssvc.exe
Token: SeRestorePrivilege	1288	vssvc.exe
Token: SeAuditPrivilege	1288	vssvc.exe
Token: SeBackupPrivilege	2480	wbengine.exe
Token: SeRestorePrivilege	2480	wbengine.exe
Token: SeSecurityPrivilege	2480	wbengine.exe
Token: 33	4936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeDebugPrivilege	4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
Token: SeDebugPrivilege	4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
Token: SeDebugPrivilege	4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
Token: SeDebugPrivilege	4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
Token: SeDebugPrivilege	4776	7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
Token: SeDebugPrivilege	1568	alg.exe
Token: SeDebugPrivilege	1568	alg.exe
Token: SeDebugPrivilege	1568	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 4936 wrote to memory of 3128	4936	SearchIndexer.exe	SearchProtocolHost.exe
PID 4936 wrote to memory of 3128	4936	SearchIndexer.exe	SearchProtocolHost.exe
PID 4936 wrote to memory of 3408	4936	SearchIndexer.exe	SearchFilterHost.exe
PID 4936 wrote to memory of 3408	4936	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe
"C:\Users\Admin\AppData\Local\Temp\7fda02dacfc62d5781e8a4bf3fe278ba893dfc293ac49bccf73ca4cd39598d8f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3500

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1344

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1652

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1440

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4880

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1924

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3092

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3128
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4fc058a13dc3dbaabeb8e64bffc6c002

SHA1
98841aab0e96b9b17e96e588946ca4601a140de7

SHA256
a9e6ed6baa2701169a844119714767aa233918485731bd412f8d6547e5876d0a

SHA512
60e8c916503c7e42b8e5f754d5845475eaa51a2bcc6d5738e426a78f92537d2a6f756f3e287a0d0a9e72a2be848d11dd28a97b01fb6bbe3529fcaec706e57b8e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
368aff0fa470e42018c428853fe780d5

SHA1
8fa52142da79d423bb04a4545c0adb101ad9d025

SHA256
7b3fcccf3bf8807bae8ccf3a3ca965a17973c4f110181aefb5a4e0d085b5e2a2

SHA512
1203e97c0254608a2e49c6f611cdb8f19d625ad322a9d4c5e77d9944fec40c47fcb680e40c13e06625acb243db82ad233f461154e04abbeb828a6f1a0ae6b358

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
0c4c7299ccc9db4c0b54d4b306ae78fa

SHA1
4aae51977a532a1331bc42cfba991d49634f296d

SHA256
c12164b03a0e0cfacad224baddfd797c1cfcd6aa371eefa85f1a49e1ff67c9d6

SHA512
8d775eb0efcd811e99777a9e0430b600069c76eb55a31fe04fe3bccbd84c895d3e9c23ef7c1afb2806e5cd8bf535aaebc26fde0fa99997d5b62cb3d0535d7231

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3b22455a8c921a4fb35b180d351a6ec5

SHA1
85e123cef5e9f42c70e361ca847b3b37a3a7b30c

SHA256
baffa434890810d70b39261a02b59411773969b029f58fc71050a3b196773d4b

SHA512
26728d777c368de8759555063dce622f4c6ce75c453e15114a488ab7d4cfe4d87687cc8d2433e0e2aa90e431c65f6d5814178540039206fddc05ad05074eb952

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
afd21d4eb3b45a48f532976740da2132

SHA1
720b0fba031f58954b2109a18ff9e57e88c301d5

SHA256
13e2e1e44ead7d993ea94fc87a4a59b68d8568f12867ed2b611a504a3c3f8350

SHA512
3ba34dfa0d8dde34f2fddbb38f8614fc33e61b7b92f1fcf8020555affe5a7cd7876ad89f5679e3b327cc12821fbec9c911828aa6fb43e8a8e17c27fcb518dc6b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ef00adb3d2b0a3ad8d6e92f49f878f78

SHA1
792e0b4a2c2a8389d9767b5cc05016c16b165313

SHA256
47eb622a52ab6addfaaf0d2737f45bbf2a7163e560c21f76327b360d60d32e49

SHA512
45e0249f661191e9c42cadb9fd44fce11f43546612a07c6ae064446110c686dd32c6a9d6a776959bb85bb816ea6a161d2a72f95db3a615ce5644185a67a6ce15

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b36b7676a3664a66a20959dcacb4853f

SHA1
c3d6b651f594fb4deed43b7e25ffda349f9514e6

SHA256
d14a07cff5b5c9881149fd96ffb712de730c4e30bca395195465bb74e1ca432f

SHA512
933a933083d460a176e731ecffa2e0dc20211aebc149a6907e3a09000dace9c28810f6ff8e4f4f02c2434d2b1431a249a090885cb27c20d8a89f02c1d975f52e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b3c948b6598627d5d10be160e5a7ab5d

SHA1
bcfdc048a1ff0656634f4b94a4e3d65762b7a9a2

SHA256
17367c902dd9e896ab8c0e12b9ab6f0c2123ba1fc1677a408498e07fd6fb87a8

SHA512
79e69f20318909bffd8ec6a0b7fc5e2a63a55f80cd6cf7e9915456b0c9141ff2e1f157e75b4bdd2318b60790303f981207c36bbd7c640d6ba603065bb19ab309

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
dc92af39a29d1bc63ed343e1273ed706

SHA1
3b487e290ab28e122d158629731be296005e34ec

SHA256
a70f1808ce7a6bb8009e2750c790636bc9fd4e5e93f3cd230cdf0f96d8b89701

SHA512
fffabb87afdb5a2b718a4643f4b43bae9cb63fb5b5c4bddbe9ece87562ec5be964c5c56900a861ac2ad4bd0c43705eaaaea8b52b47f5a5b5eaf4add4d94bfcde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ececd306f17fa8210fabb71d36665c7d

SHA1
7cf9c42aa46a8ebc2538c8f5fbc6e40739169ab1

SHA256
241789a394e366a6fb3d4136b09064ced9a24baeaa373522c5aa1c18d7062145

SHA512
d36db5a26fdacdb45a9b5d23745e2fb5dfff492d02311c2f1f661ba2ed4c371882f0cbe3a9d275e0029500925b22183d0ab1c529abc346b0a864cbb7d5ded2d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0c807dbac6d2e53c2a8543f51491d629

SHA1
e5c2c5183a1c1930798d9bfa4f131afe3fdc883d

SHA256
269197382d62b76e3ca1bf69d2b120559b191bb4384e224ed4fd96b924e1a541

SHA512
de187f993deaf255201d474c1368c33c8e587fa3bb551b2f14035c5465b2dea3d0f9fbfe3645ccf60fdcd7d92d85145f8f54215d0ed8aa746475b41fb2377060

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5ef60d5d95dc5f8610367139199d5c6b

SHA1
d473e706459790a5ef9fd67da83f3c67a1e39dc1

SHA256
68e2e8cd6c69da1ae139cb77ef7b5ffb672faa273d2c18ddec8dec43e3270c89

SHA512
b612ee26b2536666a5fcf8cb9ae95467ac2c554c00d3289bee26a4b385dc0264194580ad1b3988858be761ca5481b4af6e15e3c8dee5558bda2a99bafe1e81be

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3df58ea7b05e72b7da598248b94f4153

SHA1
f0fe547c0353aeda2691936b97b444db590fc730

SHA256
eb2b4a5e7c4aebbc8f2d1026faa65c53c3dae69058914757cd0e386cfee36ddd

SHA512
c2e5838f412bd3542d4be577f86b5d4552ad3cd49e353e756f05e5519fdeab615aaef736028466f3fa8dedf33b2dc178358a9baf0a8dc4325e4967ce7ea9814f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
2f9ec81a9fd86a859c5edaec87222ade

SHA1
e08e213a1f8a39a469f81180f039908f15eaa555

SHA256
318bb34b9dc062f3fdab57b2ef5b64016063f4f13dc767e49202b19c615a3eee

SHA512
6a38f9eb176c1650c8931deafff3484052d1ca430ab411c2391d429bee0cd3d029cfbe8515b0ca704c2ecfaf3f81ab8a012aaf21b0bc785f52e8e3c72f438944

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
9b248d56ebab987d34a72d38af63ac5f

SHA1
0034aa96884ff1788ad569250ccc5dab4e54b04e

SHA256
452a929b8a9c6e2e37add4a8a2021ce97236a670e40dd9221646033469271178

SHA512
09a132581d97282a0adb55df26a4f23528556d1a936fc01e16e01c1cb94d06011f1d0febf60746f74764759cdab825c10ee97862110474f64d5f5d38051cb743

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9aea7998cf477767def4f055a75eec92

SHA1
ea85b322e2cb71240430d051f320c29499d34bee

SHA256
53d0941bc6387a0d7d64c939e7f4255ad5873a41b25c457545d4b3641813414d

SHA512
2ab1406d36aa71575b8a019a46a22f5bad9975b44510b434a8a4e3aa059c409e7ea76c8b0e4bf96025ffd4c676db07da5fe3237e10a9a45f3962dead2d4fd175

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
76ebcd9dfc5b8caad145c805a260ce38

SHA1
2900a000fa34ebe6542601598edb6b46d1d382d5

SHA256
57443c4b372d3e8ba152dbf4a63702eb7254120fe1a959e5dade071cabff67cf

SHA512
717024584d9c50018dd5548f4f994c1d236ab6ca8a6a60e0762635f828a1ebdf609ce7e5be39bdaa4359b2ab6e84670eb8e6e77b7f7873fb81c1ae5d5a18278a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
93442080be9eea9bb0f5818e90b6b5c1

SHA1
5c6ddb31208d8bb268f126904f1e9a5228729f4c

SHA256
84f962707ba9f65b064a621909947e850bf3f3db7a53f4723740b96c94a18bdc

SHA512
5ad3d2aaa3116b53f49e9203ea794e95ce8f237a2999524a539f45491ceac0d5ba0275335bda72fe4eaff3c92893c519b10a941b99e59ff50fe2eb73ed37fc60

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
13f0cf7b4bd800c7e10603f7ef9df361

SHA1
9470c273b270c8562f389801608936ab6ab02039

SHA256
b2d5fdc2bc8bd9e58888150abfd266a57053695f8e32ac6cf8608f8e63289b9f

SHA512
2701c9737b98b1efe92d21762603f83f0f0566c428624547ea2d9ff11ba877c8b4791e2357f6c13dbc99feb1d6ddf1adbcf5347091f8cd8acc72ff4869dcddfa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
0d183d0f85edcc2002a58589c7f80f78

SHA1
5a3121e765ee4ac94c937fdf66647557703489f7

SHA256
256d906adbff22b5ecbf4bec200f0a0c1540616b64555a0b370c9a1dbe5f7b95

SHA512
0b7da3a162466ba8aa5d3513717f6c0a641614a037f6959f4e783ea1240f20ccd7cc96cd01a1fd742158d0d235ed1c25b31cc627d16e569f250f14297235f329

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e0328b9a748d145fc35bee6aca131882

SHA1
883f8a3e83f956567037283fdf9b1dcbadb110b5

SHA256
afd3fc828a53e17d4c6c3e417176211f538857ae87d7a688e107006aaec13fd0

SHA512
a0b30dc7cf18d193f2d2c2e4f925f837a9a2e95b1bb59545364c14f7ed5c672d5b03dde337299059d2095433b51074840eb9d1d0ac0faaa26eb3a27d1488ac06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
415563d4e3b7eb17b655321816a1f315

SHA1
55dce67465ce3212b6a26ee3f34a36dd03e83cc0

SHA256
5582b1bd85a7c77723e8db7d27b6fe39dc6c0cc90de541f434d81f2ac751d3f4

SHA512
808969d14797ffcf5eb68becefe008b058d7ca502dbe602e5e04b24b5a1b4ce2388743a4263ddb51f9194abf1a4530e52343f74227197b28ecec9b29f87909d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
eb2de6197941932fa0a0022f23f7bf6d

SHA1
bf947944794a55f8c9646c323d4cc3c499cbdcaa

SHA256
c77c5f4892f323b3ecab722ec773f6906ead47fddff988da2d40131bf0e195be

SHA512
84f245837a83d3192857d8f7b4eab9a9300ea2008d2b4b66803b9764fa9b7dda341e51011ebec3dca63315b5679652f472fd75a00618b91bd2a8438b0876acfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
e58bd3148e2fbe3bb77f5882f3c7155c

SHA1
60f87be7113b949741304f1de6a1b6e24690be7c

SHA256
cd05855aac79b4969823c310ceafdf309f06cf091ca3d1953b803436db01fca6

SHA512
bbf55fbc150072c791a4a4de2aa8a192d7bf75a202038178804dbb5f9cf88d75ec7e36c9ae17976bfeeabea5380ced90a75c1ff4f09a8a3a14512c1950574b45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
3bb3b19ef79a4976fce10bf69e78132f

SHA1
c4d187c85e9f67656af8b29c20402d0428efb1be

SHA256
c487ab2499e8ed40436ff1ab264f5b05148f1c8939c30654a8ee897090ea9c73

SHA512
bfee4b6c09d85ff5d9929486dc89cd8ed37bc99e8e7d61f48b4efa175bde5b73e4a9ab21e36805301705f815e278bc3087dfe40d0316bae5634707c6adaf02ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7e4493b7d35937a6b9c045b6b0ba42ea

SHA1
9e5a6210f45e7eacea20124db32b7db576fb8d3c

SHA256
7e40fdc3e817b38031748b67cbe4081190c488eee15b470a18c02899f74902c0

SHA512
a5735e3aeb31c749db6fcdbc7e3cc33d405201c67ab312640e134d5e0f4e557a0c0b10d3903c7b2e7a368a1c8bd6c3d5189ad9aa15eb82df49299dee674b94c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
87a0d7dc6bcaec2b6b83e50c020f801c

SHA1
e97d9488bb0fab07544694ef81608971dc193949

SHA256
7dbca8e5d7ece1a3a71fb24ca9c0c8b8f0bc0ee5181af222387f3d2161713b2b

SHA512
95fb6cb7cfc4a4261bae781e4b5ce04ae56ef1b83aac6cd5294a991082477a1b999f2608a53368f22bb31f7a89b2924e0809cd6cd0eafcf08ad03f4db3c128eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ab4920f79f753801fd42afecd680c7c3

SHA1
a1d7c14202feb38f5b8edccb1afa8ab2de5ab0c6

SHA256
be3bbc07978dc4f28cd921f5af28f3632c5b2cd16120512fb60f0126175c3b8f

SHA512
bdd57fa1b1d151430abfe0bceaffa20837edde8a65c9aad2efcbd49f063e8fbd075f1ff0e24bece40f249d3282881910f28870f59234ecea24e0dd81e49411b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a36c3c9597a211274e8247e2d1ab959d

SHA1
f5d031b27ebe8df3bde2b522446c20b4370f651a

SHA256
11c4197138a7057cde0fd514a039f280b3f9d4ea530539450af33f8d4232c3b2

SHA512
55e311ba3f735646f28c7c5e8feef34fc8c65485defaf889a9ec8b58f97e2c13924eb20335545899419bd519ec57c7ec65e71dc7877e7cef7328f84498830952

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
101bbba05f3f6a5480ed01c024332a01

SHA1
dbe66bcc715e57f71bb64b1a23b6843f614a2906

SHA256
d437fa16ee75ea710710867d6b0251658493ef97b3e7b5133fd4b64ca6e1102b

SHA512
113bb2ed30cf802926f87d5780f5c56bdeb17c11ea3aff74ffd31ab1f8ab11d8cf1e569ac5f9bba99cc1f4ec3982353aaa25701e788e893106898c8e9471b391

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
9e4ae0addd6571d37cd8c5e9a4be9fbe

SHA1
fc5dbb04b971924a85ddd0ea79b6d20d87028227

SHA256
e3c0e1fc68f08fcd9152e025d09a320d0086919ca73ffa9f04e477f47a056630

SHA512
641ec47009e8e43046d06d81fc08dccd4aa5c8a0387b6caef2fb9e486171299421fa56b46c6754be93d82c617a505b7cc7d1fd6be322cca1c3d2c990cc79c4d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
3fda32b386099e4a0be14c587f10c832

SHA1
8c1d764eee9ae5ddae63da6b19c7877b1f08bf24

SHA256
47137edd0aef1637be8f5a5f2ae584019ff7181b3188975395abd1ff7c61189e

SHA512
3621846b7fd78d349cbb16eb402c6f1c6ff320fb455362d2ef16b9688a6b59a5bddb45f448f4c903c627ddbac96763d35445511cc23fd6d3191d5e17c74ed584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
313080811e02186d07d2b980f1dc31a1

SHA1
0da30e1aeb470150b27e0676b198cdb07738142e

SHA256
0c2e601e7e4ef54c7487ee5ba0888a5a6914f2776af91553174fa880f6ff8de3

SHA512
72c7c56305eb688975df143dfb56247bcc5f2b8c6f10d895681d8a753f3d39a162d938e8da3915838135fd3949293c7f1389a579de65c699f0e37f694ac99590

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
73d4c32944acd00d0878179d54e50270

SHA1
7f3fce6925b801ac0f15559723b0c4e50dcad397

SHA256
856795f8c70cf2f962539fd1e32cbee8ced02a7b141ac31de7eb99a41fe26793

SHA512
7c05121072ef8b9c23e0e0040b13730ba18130f32692c5817cf775524ef7b9ec9343ede4eea57bf952f943ce46a898b2bd81fe44024926d4f715425aa0f20b76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
24dfe359f16029385d3e8c36d38bb76d

SHA1
e3e26b8005b9279b58e85f59de19c5fc249e2c8d

SHA256
f03012e0615bb6720d002f0ed1f2aaabaafe8789ebb12ac6c0f6299b6368a0c5

SHA512
e7d3a00f8e420a4a990fe60c5e9396c7ff78eaeab65dcd9c5bd82a34383f0a7d3d44e0bf72c2642a1011aaf68b180b0ff73b79cc6861f82b8cbbc5b56381e0d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e0fd233dd3695816abd6df022de4e481

SHA1
f6d324565750f4f65311866fe3117ceae8971655

SHA256
688ce80c9edd5159662aea85e028d1789b76fe7a9c279554dae03c74b7a9b968

SHA512
4675142ef602c55aae557d0860f83a9889d491dbb7b84396f275d80a6096f6880f4fc82d009c7bdfbaf97c3cdeb02171fc8526ff25b6985d203cddc4351bc0e2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3cecb66482dfc861e9e49463794a4733

SHA1
24607da9e8d4321504aa47b3adc503d09e1a7e3b

SHA256
7e60f66df3e2b05d465f06c1521cc86b726c5efabb6190fdcd391fd41f8b1541

SHA512
68e76ea124c3be8b9b43fb10e8b173d51d66b3b0b5fed4d127ed390a4337ca0caaefbcbdda0360dba7300ccf94d71b0ccd219d5daca328ee401093642f4ce3db

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
b791c1725f5b88073822322472c39422

SHA1
6ec982dff46560b0335704380b89cb319149a7f4

SHA256
3cdb716bbe71179ae6be979da0c50497aa3669e7d0e1ae147e441d503007fc41

SHA512
607089c8cc7e0ce2205c7489a6a381156e59818f24d0e3a56dd1d716754bf63792f0ddb81df174e35bc02a7837dc5d2143613200c8c93d060626ef2942d049ba

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
15cd6cba193d01bb864ffb85b1c858b4

SHA1
16599a5bcc54bdb93386ab605c005c5f648bbcc4

SHA256
1c569e1bc81e53ac18062fe6ea9c2cc9daaa93cbe8e59bc8186df3346b780926

SHA512
7ba427955f55acf6dbf5791f8ba07e7b0d57481543c4623138616bb7922e388e9a6a658dccd56a85987220c6eeb5fc621b3f632943da58bd8e5a273b06988bbb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ce41f05b9dbb83b34f1621193ea88c8a

SHA1
9650676d9479db4e5815dc64cfcf15342b8eecc3

SHA256
b170f1ba122d62c3c4122e97bc00ca09f315354d036d8282e673a0ee5fe55cac

SHA512
ec7d9354af3d0b474684b2eb65fe06f8b3b0e742653a655fd5b354e90b11c3a5b1fdb5ff3241744427f3267d44cc35e0d2dbd17312aff2c0303673b5b7281ef1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
004267c260407081e0133b5a42db2166

SHA1
69cadfc6599e777ecfb66a3eb9fd913b95c4bdb0

SHA256
7fc87a3cbc74731d00a217e822d9b9f1bd53d17415bd269e4da98d608375a40d

SHA512
50eb0e6f668663cce66db6cdd5c967c164817dc8cf2c7a4b7f807d6b1d9c08edf229a5c30a5936bd06cf3c1d19dd3f14a9701eba71be77aeb0dbecc29e2595ba

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cd5c1b116057e9f300d98cae686623d3

SHA1
ee6966ba2aff62dff7f40614b63cf97ea9f0cfa6

SHA256
9da1c87f2b0da49ee775c36a5e0624515b591bfa524982638550c8db8af5c471

SHA512
2d796c05d800e090e396472723095a83ca15d5ceea5242394ded153315d967ed6d4b299551d1b13bf923f4a4c392f91a49a6fe3983588d5a5188d0f90356d0fc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b5f36c355215dadd0e1cb4875cc07a05

SHA1
9f163f9fa0c4423e424544adb350178f9aa06d87

SHA256
62faf72a901a1706ad4592ab302040f7ad0a8627c5f2b0be7689201062c3781e

SHA512
4ea05ec0483c68fbd1cad2ab1d44a0b34cbd0641a1c47906b5a6cfe8c1363e40979ed197c99f3b777283c789d89acfcbe3b9f1e9071c47943858435f5eb1f7e2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
02cdce3d29d2050a1cd562ead43f8f8b

SHA1
94fef650ad09656525c34336f89b1e309633b71b

SHA256
946af15b8dbedb76715b66ae59c4f817fe6c14e4ca364ff050c5d25f64bd5895

SHA512
8b3220f09f950572331e30a7bd95f3b8110e71cb830c0616498c0fae645b1234f67ba1af1de9f0ab8ae42c521bcb65abe5834dcbe2851a770731132bb8fdffa4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
fca30809ca589003496556607bc77323

SHA1
8afb01e29edb721bdf9eb021ab09b335ab58ec25

SHA256
38477333a0873db38caf78fdc0eff3fd2a2e0f25a810237a030b575b71eeef80

SHA512
f885b184783c1ea0332d257ddb49b7567fd59f9b678d072b275327f2ba38605a95da618ab077f8ed4d8487dbea3b19a716c61e2a135c36e7079ef99e06181222

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cc5908cd150036f3334b942dde3e879f

SHA1
d8b1efc8f4884cd6b0a99766e6327e654767cf14

SHA256
c2a38ee0b346880f6bb783c1393c0b7d797e916f8cc270c5fcae854bef00a764

SHA512
2a7017ecb2baaee439345beb2525e8c4419de51128db0f2798686db56b940ca5e89114c3ee29b0637d38368ecaab7a4c7238e246db4f3e525cf79e8d223e0e7e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a16e1c3fe365c8cb47e39761a742d7bb

SHA1
b1c3f75be9dbfb352c5034e9913a10627847ee9d

SHA256
6868ea2e17a7fef025bbbbd58982f2ad849e7310126f10a0bfd5ab8b18055d16

SHA512
1c0cab96649415dc5548bd119ef5d16493de15ce789f5956d61ecb20eb29ff645f1aba43172a4e4e72d9488c037dd775172956b860ec067bf970285d36045c4a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b6d18f1e12df78a9fc75517bec248691

SHA1
7ceffabdcdb61fb4ac891ef7effa579c18bab646

SHA256
f5b84d67184b1e529f8827f7aef6a476d7ffbc044e1611f153bcc05636f90069

SHA512
eb06ab5c01b39d6245b948f641ef6ff07dd5a92db240a4e6cca1f5515138b8259894dbbaa996ab21ca82664db17b3776b60b39a8e6b5fb7e31d890154898e700

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f426b60c0391d257e0f19a69901ec1ec

SHA1
f60fc6c42591c7b908a9ff4d0faebd798408bcbd

SHA256
88c396482cee5e0de52d74b4786668ea35718254056a68d964d6216fd889b98f

SHA512
e5f4e14ff779e062d8603dd62a76a427ed50aac6c5cca559dc8571465d2c306ce9142ad586af8fb1b99d565472a0a2471573dd4053179be43ba398e012f08350

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3f365bd9246b49fe78dee36b90eed691

SHA1
dd72bce1c3fb4811797e9f58f18805ad95873035

SHA256
3e72a36ff74e9cce867a6c514ae4cb60b3f365199267871f8d0c4acd7940640e

SHA512
0ae8fc4dad3dd1c9ea11dd72201e32808efcef05d4bcde22204bf819a2988ba2992e36518bc659ec14b8c0288d35cc0888d33decfaf0c5ff7d8cb23e1131f211

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a0e4f1be141d1e7a969ae48e6fe2f69e

SHA1
f426719e54409bfc40122014a2452001ae9ed83c

SHA256
3967173102ebe039417a9b57b61dc449ec5a9c202e661a6daf9599bb228081a1

SHA512
3392deb05790c87fcc9d540a076ece658ea83fad5392c62fedd091fab259631807964c9b77333c6b896f7ce7db23d6543b7bf6278c29b699543e9c37f0c1ac11

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
559a9bfcc39f95ba35ee0e03fa2b0467

SHA1
8963624c4fd99f26398b7933b9850891b33c8ea4

SHA256
16c6e012ff3d27db606be07414acacab87a285000781f9d0de1c59d628f0a678

SHA512
755226b9623828dc24dd8b9227f952106a35129937ca167e1bed043ffa540e74a181ce85c4f4d6cb1123f5f6bd2859c814ed415974b86b21a4da26c787deabac

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a4026ac618e3a1f8078f9b6f80475777

SHA1
9327ec9de09f923ed29f8fec0629fe120f71b336

SHA256
d340c03b3f04cd91c9fa2aa0fdc29b630d21f98e9c279e561c9632d150d27882

SHA512
2a017c3d7331b08b389a7b6e3c20dcc5fb621087ab03f3f95686298cb329a91b959a91848443c1945b2a84a6627c0a2bdfeb2f882812c9d06c83323fae204d15

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
67448d5d64c46f4810976db06dc790f3

SHA1
8a8c5dc9c5f1d0f2afa4b5f22a4702a94c20cd70

SHA256
11b3965f1450302ba89efdd7986b6535938c3a04ac473c369e87ef39fe13ee9b

SHA512
7248021bf2c16a12863553d71e65d571f028d5993b5b1c7530958d3ba96281e5ba104122f10122836aa9209a7ccea90fec767e2c677ed19dc32ea7b6906792e1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b9ca2d7027773f70b63e045245bb6943

SHA1
f9c0834797db017f420ba2f4c834bd6001831e4b

SHA256
f186d77242e5396b00109b31df022f3d401e14eff620143e03ee8ed52392b1eb

SHA512
cf3655d8dce429aed874db7b9f6d003b4a8e244657da8b792d42f360f6fb00fcca8ce7aa4288d91eb6f361de5df130f2a1a9b43155e7f1703ebff70addfd59aa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e1ee72c67c870b62162db7621ac6fe4f

SHA1
80acc30560cd7dde6157679b4a5e8fe87c1e2b0b

SHA256
0d3f2edce19f7ae5195277c2fe2236f690eea915729d8893c0cda504c6ad0b95

SHA512
cb9667ac5edcbc1a6638f0bb61ff229975cdfdf8729864d8dd27e07d41e9a6cd3869adc3d8e652650c7b9a10abdbdf1207058610da6c74be5847a555dc8dbcc7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0f168e1eafe6a572d72ef7fdd8a9aa7e

SHA1
a1456a565a9c887ae3f4cbcb9fe9fa0a1d3fb70f

SHA256
a115917fc878a887e533e3058d7decf3e7bef5c8a0ecf22b1e76cc594159141d

SHA512
29a3d63353b263636d1ef256481b2df91cbe3d45cb8ece8a4f3a359a6eb0e3439a216c6a1d48d266b53cf7fde2b243dbbfae7063897227701ab58b289cda2069

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
0e10c06b33cad8950ae110cd015cd6b8

SHA1
b2455fbc2a10268e0be1dec8ad056c1b413e51d8

SHA256
87e257c12cb0d4867851afedef5e060dab0e17efa7182351c40be15df682c288

SHA512
2e34b3a8d492a59a0295bbd10e3793acc9d4670aa2403bf86910d922f464c35bd7addea22dfba1eb240107c2fcd20fb756f546658faa2b07ce18cd6f9a2c1ba6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
de27f6a2941de65bdcecfb34d84deff9

SHA1
fc403354fa21865bb721c57e8d3dae8b919127ae

SHA256
08e32da3da3fd59b42076ad268c73955a0160067c21f654049817e67be2966f5

SHA512
d1329feb6f89101e626e5fda4b79ed200129732124a1086dd83482ccfab5cb178872a8270d2f33df6a1a0040534f1676206632224f0260415e2736cc6b5a72c1

Download Submit
memory/1264-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1264-43-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1264-42-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1264-256-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1288-611-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1288-260-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1344-182-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1440-185-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1568-243-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1568-25-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1568-31-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1568-19-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1580-258-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1580-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1652-184-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2116-73-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2116-79-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2116-537-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2116-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2432-69-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2432-467-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2432-61-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2432-67-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2480-612-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2480-270-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2688-607-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2688-188-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2696-187-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2996-183-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3092-613-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3092-274-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3112-104-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/3112-181-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3408-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3500-102-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3500-98-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3500-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3500-86-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3500-92-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3772-241-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4344-242-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4748-58-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-56-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4748-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4748-54-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4748-48-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4776-286-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4776-180-0x00007FFAE0B30000-0x00007FFAE15F1000-memory.dmp

Filesize
10.8MB

Download
memory/4776-0-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/4776-259-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4776-96-0x0000000021A00000-0x0000000021A0E000-memory.dmp

Filesize
56KB

Download
memory/4776-273-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4776-81-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4776-9-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/4776-8-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4776-13-0x00007FFAE0B33000-0x00007FFAE0B35000-memory.dmp

Filesize
8KB

Download
memory/4776-95-0x00000000219B0000-0x00000000219E8000-memory.dmp

Filesize
224KB

Download
memory/4776-71-0x000000001CDE0000-0x000000001CDE8000-memory.dmp

Filesize
32KB

Download
memory/4776-211-0x00007FFAE0B33000-0x00007FFAE0B35000-memory.dmp

Filesize
8KB

Download
memory/4776-15-0x0000000002AF0000-0x0000000002B24000-memory.dmp

Filesize
208KB

Download
memory/4776-45-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4776-33-0x00000000028B0000-0x00000000028C0000-memory.dmp

Filesize
64KB

Download
memory/4776-30-0x00007FFAE0B30000-0x00007FFAE15F1000-memory.dmp

Filesize
10.8MB

Download
memory/4880-186-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4880-604-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4936-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-293-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download