4292a001a8da19431eb60ac11a18a1b12061f4c22596bc96b93a6e7c4824dfd4

Analysis

max time kernel
99s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 01:28

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a3b1e2f12329eaa83782794df0ae2e0N.exe
Size

1.5MB
MD5

7a3b1e2f12329eaa83782794df0ae2e0
SHA1

84deab96645661fd1735885654299b60616b28aa
SHA256

4292a001a8da19431eb60ac11a18a1b12061f4c22596bc96b93a6e7c4824dfd4
SHA512

1ceb70289020e22db61b0b33658aae6d1f238b2fbebb52e240a1bcdbd70461aa7963fad05d50e749259b8bc7c6d4a3ea25e2ff6d49a020193f886378659375d7
SSDEEP

24576:lJnJM4OqTWPqmlbBW8sRPEbyJlTaN8D1o:lJnJM4OqTWPrFBURPcyJpaNIK

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
1816	alg.exe
1636	DiagnosticsHub.StandardCollector.Service.exe
312	fxssvc.exe
4912	elevation_service.exe
2660	elevation_service.exe
3600	maintenanceservice.exe
1588	msdtc.exe
3252	OSE.EXE
2960	PerceptionSimulationService.exe
2264	perfhost.exe
4024	locator.exe
3052	SensorDataService.exe
4816	snmptrap.exe
3512	ssh-agent.exe
2748	AgentService.exe
2368	vssvc.exe
2464	WmiApSrv.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\vssvc.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\System32\alg.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\System32\vds.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5f5aee2d6003136b.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\locator.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80203\javaw.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7a3b1e2f12329eaa83782794df0ae2e0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000418edbbfdddfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a2243bddddfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000261cabddddfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002dfb1ec2dddfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a64341b7dddfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f89b58bddddfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001823b4bfdddfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086cfeabedddfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000373330c4dddfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000aafa08b9dddfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000eaf0abedddfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
Token: SeAuditPrivilege	312	fxssvc.exe
Token: SeRestorePrivilege	3884	TieringEngineService.exe
Token: SeManageVolumePrivilege	3884	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2748	AgentService.exe
Token: SeBackupPrivilege	2368	vssvc.exe
Token: SeRestorePrivilege	2368	vssvc.exe
Token: SeAuditPrivilege	2368	vssvc.exe
Token: SeBackupPrivilege	4936	wbengine.exe
Token: SeRestorePrivilege	4936	wbengine.exe
Token: SeSecurityPrivilege	4936	wbengine.exe
Token: 33	708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	708	SearchIndexer.exe
Token: SeDebugPrivilege	5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
Token: SeDebugPrivilege	5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
Token: SeDebugPrivilege	5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
Token: SeDebugPrivilege	5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe
Token: SeDebugPrivilege	5032	7a3b1e2f12329eaa83782794df0ae2e0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 708 wrote to memory of 2024	708	SearchIndexer.exe	113
PID 708 wrote to memory of 2024	708	SearchIndexer.exe	113
PID 708 wrote to memory of 4500	708	SearchIndexer.exe	116
PID 708 wrote to memory of 4500	708	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7a3b1e2f12329eaa83782794df0ae2e0N.exe
"C:\Users\Admin\AppData\Local\Temp\7a3b1e2f12329eaa83782794df0ae2e0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1064

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:312

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2660

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3600

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1588

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3052

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4816

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Checks SCSI registry key(s)
PID:2288

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3512

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3884

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4880

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:3444

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2464

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:708
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2024
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
983cbcfb73a05364d05027bc272854b9

SHA1
48b56242a9fa7ecf5a607dd86c14af1a08fa8955

SHA256
de8c58fdec29924b7cba9bc66eae189a76035abfd5782eac12c7def628f1a34a

SHA512
63c8c6de29873625b7b8de0aa69251aa983edea9c5443674b657c9b0a6ad39c51c4ea9e892573e906d0083663ef4fa5d3b40ce4cab3262377ee8d4369776538c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c70bc53d1d01b1531130e1b17840485a

SHA1
2890faab567d65648cac2a85873a91dc76571852

SHA256
129f59c37e0e33b8b78c71d847ac4fc6f0711a2ee3b2fe4851de47aff6da2058

SHA512
f2840586436649802f29fc8cea5d81380ee67cfb1c2a0db5f34accfa72daeb57b5b6c01646ee879862510b4244acc67182b88a5b33daba41604ee3a4ff922afe

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
13894d1e214ca24e017a11a63d7879f6

SHA1
8ba1559d76c1ae6a71a8cb70ed986e947239307f

SHA256
0017007f5530be35ea50a0704c94569bb63a6607b0589e6fe05aaebb63080bcd

SHA512
7eb9f58e666c6a3ecbd3e4664d7b9c012dec61f68269327020bb9d3bcdd5696721c2ef7261a8671b8c6064afa72f2f67d39396a5455a38375bad6ddc63cecf08

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
23e3852a7a0faff01c71a857c64a35fe

SHA1
9c291922272dcf484ae626ef356eccb4dc521a8f

SHA256
9acf257055a5afeabaa418f85149f11f7456a2a6dfb4b0edd8a08dcf10ef99ca

SHA512
42d7dc5dd84bc5f44122b7476f8f20609d45a21c96c9decb94dd4cdf31750c6a34d59d0cdc984c595209b55045c97978feb17f6e1882c74930ac8971d7399409

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
7d7f6a40f65e449668def7b0e5c752c7

SHA1
5ac4fc32a468a89524deb757b3e5254833cd20ba

SHA256
54f37ae0acb1641bdd92d967c1802f981e6a4e2c45d12e89620630479cf8dd8e

SHA512
9f3fd67d54f81bd750073a97597ac35248504b59188bf2f92ae53fb39fa028106bcc86a5e2eeb2d0ab364caa222e3d071605c30bf83f81d3410506f202bbcd6d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7ee0fb3aeab7d0e47f661dca45726a05

SHA1
857a4863ff59acb9110fc5666be1bbc50caef83e

SHA256
a899aa27c4a222e384761d778157caa4063f88b3b18c9ea70b02d72d9626f380

SHA512
20f28fc269a7f5db236418ee1bdc06619b8e39c83c3d60fab7876795d2759d9a328c6d213b9f7ec25377fd75b8a8b0fc139197cb60e29af54e5a63cb22ec7c20

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5d463e0412dbe71c7cc321616580dd7b

SHA1
4521f44cb6333467121f9b7c2c8d5898f68d6815

SHA256
78d95adda2907710ef3babbe35fdf6b9b533f20f5a324df2a7e824e8566e3ad2

SHA512
4a3b9c7a8670752734b73c3cc2efd62d1dc105f73f72b66aab9fcac97b89e33ea0ad7f86593591af7f3ccdcbc37828fea4713201a2901f119aa77e1aa4909d63

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
41e8c6e6769a7556565b4b6ebce0f713

SHA1
a4cf878fa28009788b07145dc89820b210a4bfb7

SHA256
ea61c204684d8223d0cebb3a34b3bb0e5fefb047a22ea61e75a69b63469f2e8c

SHA512
8158f266d0a0ae076cdc13d6c01af320cd12b14f4f71155438fe32b7cde09bb348134b06349178f2c2fae9bd3a4494f6485ca062b1d9f82f639b1650829cc5fe

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d3f2999d5b457aed988aae84ae7d7e4f

SHA1
fca5f22fd53624408fd3337a6cb298870a60a219

SHA256
e7a19f48b22be881578c0ceb4fad6d537e6962acf2a85bae79f89f23c82a2a40

SHA512
c8c2820576cc364d314aa24bcac78388bd50343b3aa365694e1e65e0e05181db7a7d8063e1f62fac3692bb115cd50ca578a3bc50b8add04f1dfbce988715d468

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
4420957b1cc895644d7927aab8acc170

SHA1
a125e71da826dd5ed4f5c6361f706eecaf6fcb07

SHA256
3072ba35303c01d94ce33b6a99c2737058c1efe79f121885a19f285dee20520b

SHA512
7e3575b36cbc16eed5860c045ed24c6657cf794d02e92aa06cc262017b50facece2ddec1c06219d89956eb53424ed57ed494881891a492db11ca736c23899c46

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7c6539e05ca1f6765de15ba50cf6be54

SHA1
f9ad4b460588a73df8be4d114174108cea84706b

SHA256
c5e3fb7f6d42e90f2b916fc69515ccd3d9cfbc0a8ef04929e44124ba328717ad

SHA512
e0407604b6e91650fe6378eb7837305bd61632ce912fbcc96498409a2ef5e94f00423ed0212359f46154c358fa56d9d50be0b04872e3d07569b8baff2736d56c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c52d62e9649aaf081f92d15c29d3a12f

SHA1
2397c8a2ab9f5630994a79c09f34da8dadd837e6

SHA256
56ab0b29646119b9f536782818c1afe5dc0d357eb086828ced5b965bcbd78eae

SHA512
5abfd3ead5260c9dd0c0e52ba073c87c3a71252dda29229638c84e4466e7aab51ddfc9017ea5a9d102782e3e87aa7a677530cdfc7dc708563a7b293844747a00

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
77ddff640e86e3f2dd54326d28e84f1c

SHA1
92519ade26c5276d831e7672845b8ea124a6a47b

SHA256
982fedd7ca4e54e81f7a06f69034a994000e0ae70cc989f3f29350e1579df383

SHA512
202f3c3ca93f1a2f5605a70632430f1f85a722616cea0202432272e51b1adfbfae564a12be65ccd25af71166321eabf94f881dbd6f660df994f1260c67a65630

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
e14125a736297003efb586ea32079681

SHA1
000d113dc16d4fe8ae69c0452f4920a17ef20dcb

SHA256
6902345f7e465b901cb40745c7e510b4128bb171a24ab2440db9b6227fc36fbc

SHA512
60fba7d20fc63c4c1a56e7bde65217f610c061d333fc6be05d1d8f584f58867088dc2535d4d7d4983dfcde2b734832bebbd5d5986b48813b054cb1324c6c7fdc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
e02bd1bb91726954f3270f4b7ecbcc93

SHA1
7e5452ed9d148bbf2f19737c4ce9894c7eeaaf1a

SHA256
6aa279e793b697fc69891401dec76339d6efc65aac6af316441e6255ff569109

SHA512
86cca8e19e7534152260db99c805988f32f447dc078eda5d3a251e328ac0f2d3d6ae4e5c5793871a11e9cb76a6e1d78cda18fa6b22f656e4252647c4d06d2583

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
f860c765a3f817533f79cda69a451b3d

SHA1
d670d5a2e93dcdebb38e6974449212d526ca9320

SHA256
ab72fb24496a05b4fee80c9a732cf5105e29995014e4b039a6413c8e9ba5914b

SHA512
ddbcd6cdae407a5a53b273c96617ba5ba2c58f275cea5e94175cde8cfd4ee8c7e1baf640a4551fd9cb9b17fbe50f3aaead1e70a569429cd09cf48eeaa36c25b1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
28d07fb760bc00688ba63172c986f2a6

SHA1
003edeeeba36a7af5845e6b21065e7d3b8725dbd

SHA256
543307cd80fd496a3ec3496d0447d91e76c68258e81b584e7256588d84d4ffb8

SHA512
edbb7e2a11f84e364fa6fe305fb6f722e5ec4a41d5da3ddb6f25b6ba2ea8210a9f7df83cbed11b8910659fd1e3e915973bddaec9c18a8f488c337927ee321a69

Download Submit
memory/312-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/312-57-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/312-38-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/312-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/312-44-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/708-261-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/708-482-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1588-191-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1588-91-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1588-89-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1636-115-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1636-32-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1636-26-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1636-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1816-13-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1816-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1816-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/1816-101-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2264-226-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2264-128-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2288-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2288-402-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2368-444-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2368-217-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2464-247-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2464-481-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2660-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2660-62-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2660-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2660-170-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2748-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2748-192-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2960-116-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2960-216-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3052-328-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3052-145-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3052-260-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3252-110-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3252-204-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3444-442-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3444-214-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3512-413-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3512-171-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3600-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3600-82-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3600-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3600-86-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3600-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3884-423-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3884-189-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4024-246-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4024-139-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4816-156-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4816-361-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4912-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4912-157-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4912-49-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4912-54-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4936-445-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4936-228-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5032-1-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/5032-0-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/5032-73-0x0000000140000000-0x000000014021F000-memory.dmp

Filesize
2.1MB

Download
memory/5032-7-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download