0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
Size

4.2MB
MD5

5a27492b953d23c571b814b84c269ba7
SHA1

3ebb2a48987cb8492726f8a32842415d995b67ec
SHA256

0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b
SHA512

0958be8f06a566a14b5510b52e31a7771e22f8453c1b2adab39d3d5a7ca605d78419ca98a477c058716510db4d5ec9beeb6210f264e45ba480389498b1d18f60
SSDEEP

98304:A7pgFDpoPdggLL0Hxs3aobLebQq5v6D527BWG:A7p4y6DxXQq5iVQBWG

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4276	alg.exe
5140	DiagnosticsHub.StandardCollector.Service.exe
3640	fxssvc.exe
5448	elevation_service.exe
5060	elevation_service.exe
4688	maintenanceservice.exe
5576	msdtc.exe
5032	OSE.EXE
5524	PerceptionSimulationService.exe
692	perfhost.exe
4056	locator.exe
3500	SensorDataService.exe
5496	snmptrap.exe
5680	spectrum.exe
5248	ssh-agent.exe
1192	TieringEngineService.exe
1760	AgentService.exe
4172	vds.exe
4068	vssvc.exe
3156	wbengine.exe
456	WmiApSrv.exe
1284	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\locator.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\73136d3389816891.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\System32\vds.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000325114bbddf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d9a768baddf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042b99abaddf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0282cbbddf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000063caccbaddf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000458a2ebbddf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b26b8cbaddf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049dca4bcddf6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000079b77ebcddf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019dec0baddf6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001e1b9dbaddf6da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
5140	DiagnosticsHub.StandardCollector.Service.exe
5140	DiagnosticsHub.StandardCollector.Service.exe
5140	DiagnosticsHub.StandardCollector.Service.exe
5140	DiagnosticsHub.StandardCollector.Service.exe
5140	DiagnosticsHub.StandardCollector.Service.exe
5140	DiagnosticsHub.StandardCollector.Service.exe
5140	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
Token: SeAuditPrivilege	3640	fxssvc.exe
Token: SeRestorePrivilege	1192	TieringEngineService.exe
Token: SeManageVolumePrivilege	1192	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1760	AgentService.exe
Token: SeBackupPrivilege	4068	vssvc.exe
Token: SeRestorePrivilege	4068	vssvc.exe
Token: SeAuditPrivilege	4068	vssvc.exe
Token: SeBackupPrivilege	3156	wbengine.exe
Token: SeRestorePrivilege	3156	wbengine.exe
Token: SeSecurityPrivilege	3156	wbengine.exe
Token: 33	1284	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1284	SearchIndexer.exe
Token: SeDebugPrivilege	4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
Token: SeDebugPrivilege	4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
Token: SeDebugPrivilege	4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
Token: SeDebugPrivilege	4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
Token: SeDebugPrivilege	4828	0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
Token: SeDebugPrivilege	5140	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 1684	1284	SearchIndexer.exe	117
PID 1284 wrote to memory of 1684	1284	SearchIndexer.exe	117
PID 1284 wrote to memory of 5296	1284	SearchIndexer.exe	118
PID 1284 wrote to memory of 5296	1284	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe
"C:\Users\Admin\AppData\Local\Temp\0a6ee75b7cecba4c646fcc0256ee2ae158cd3e1172b722d667c623263f9a9a5b.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4276

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5140

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5420

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5576

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5524

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:692

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3500

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5496

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1640

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1760

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4172

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
592b5d6edd76f2d8e8d113d4ff068174

SHA1
84b16ed30a8a27fbb41cce310cc4359ea93e1b0e

SHA256
616180eb7a0e063250044213580463ac20d79b4d3cf6d7cc8d16c2ddf8b14f62

SHA512
1b76adfb9a7c2969c23d65b140ba98ef5f3312124ac2934c8af16f681e5d754737f4afb8a2fcf57cb9774b0f82804763f50f7e152aef0781b743799eec54df5a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
305491d6f14fe14be49f4427ee19e5cc

SHA1
cceb45a7cbdf927fa1eadecc9e80d37b7de85661

SHA256
f2784ae14893555be0293950f97c2dd14ea1c22f0778ce41ba5df3fe743c3ed8

SHA512
d3d919f5311bba9c9b56320f8fb6c70640fb627e94be9119a68df0b82bf026b0b1cbabbaf6bf0e175b7aad8161d3d994ef230518138e4ceeeb051be58fb7cc0e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8be2b01b5b55b731d4d11417d6439d85

SHA1
b2550e1189bd61b9389e4dafd682ae3d29669dfe

SHA256
b7d4f3d71383474c0f9d5c4524a54120062cee0543765249b3538bfd5229b8b4

SHA512
19db99296ed1089778f1437efd85b7b91970f9201df645eda0e93ab4c3a41d7246148802186e06daed9ce6fda6f342378af92565303da9fe89c3383afb67988b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6165dee9016c29bd99ef289bedeb0b55

SHA1
2faffc2bf6a457f55b4352f179a5a76dcc65b2a9

SHA256
cf4732e36710f7429ceebc0153282320a3a4761b02e0e05c2cb3e422bf0085b7

SHA512
9940341792a2c7be0ccc1cf5ea12e395d7cfa9ca543282dcdf2569b163f20d45f73753b95b7b03640dd22abdb70b0410d793df60dc393c526a45d16fc694be57

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d1c4eef7e89bb50db513f0d2df91e1c2

SHA1
10c36662359d6bec8d5277bff51a7ae4c9149e24

SHA256
10a2eda9b90870f651abbebbbc387a48315a4d2c570a287499827c7e633ae5e9

SHA512
1762eed76e822d07a5d53ef350ba2d1520f9a03a03c0d8ee80573f85ac46c95323daffe9c1a9fad225194dadfa6a5f7b5aac3e3691ef2d6f9311f68aaddaf895

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8fa0d3e2f24c47de3a36867ab69c7e4a

SHA1
4f3fa89651388f300db9650df977c5540c22b81b

SHA256
cb71d5f7cd5bc3aa29446abcc4d48217318484a2c4413c293bfa3c51fc6344ae

SHA512
ecd2cf74dbdb8391fa89ba2c78296ebf799cbb177a96e8b3ee16c30b4d42a723564228efe7ab4338d8ce457a005678925be7aa7cf1581b90d93f5e4de2a78dbc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f83cc72ae0d27e032b9d5f192b9c0ede

SHA1
e1ca4b1d435b05c66f68e6e2e9bc459f3c99e2c4

SHA256
1475152347401f0a300fe88a088489d5323b7868eb84ffa65a47c12209dea217

SHA512
e699bc92df31f933955ea730d872888672bb0deca71b8c6e25795765bb757330918ec85232fc4b67b31a51c7c93454ed62e83a63b9085100c6b715b486bb44c5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
421de03a3a1496d7804a8d5577072deb

SHA1
b6be07e1e8d6032b02ed4ce5f2c5e85df1b11cc3

SHA256
2fb826e8558c02f8923b1ea60736fddf1bf59d6e56d9359e7cff1364074e4014

SHA512
a870f9439f115e3a52c4083846d108fe86ac467a6bc04108fe8f13631491fb95857ae7a5bca9fff3015c40c1651f5e4919d46dc48c1dffe352d37b37082014b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
311d279ceb98c81f3bfc34737701c60b

SHA1
be8fd1cd1361e54725aaa50a0f8ff65f4372e41d

SHA256
c6f70f26e58adca86fe59b9cb05efad57d8c0a763a9b5d720660a6ed8e9b2f0d

SHA512
e62d7748e75b250e4ce292409bc639589306e862617c3d255ff43ba5f6e5c4da0e87650a1347972ebb4af674a1e9aecb5da89e7fffe779de72bbca1d1e7871d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ffc69ae280570b9e6459a6bb4d53c827

SHA1
7659d47aec6a017bec190842b5200044a9e51da1

SHA256
c3cbd2f5e7b86c845fef7f1a00ff05947eb965de64d186bc56745f793dcfce00

SHA512
002a06ab12315b29d01b44751f1bea769be41e87309f264c8c739f9ef1ba838018ada70812d57f7d1914ee028414aa5a9ae94247eadcece0d8d99fcc6ef65b06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b56f4786ea6ef19047e775deae520c8f

SHA1
d85f05cc151487df84af19ed1539173f4891ec1b

SHA256
4bd298c24021096c651425c91cbfa3812dcccff0afe1c00eddae456764ed705d

SHA512
19453a22d82522083c54c9c1fac6594ac88af8602958b1d91870425bff564ff96d0b71ec85270761b707da0ccf54d693893ecdcf0647ba2e865d8a051e1ae7b2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6ed5fe8bba4c4324277263815b48a907

SHA1
d39eb8dbed9ebef62e187eae64b900f85d254a8d

SHA256
3e3121bdc2616017ec9bdccb1649849de8c10293df9cc0702e6367b1605ff4f8

SHA512
484e4039cbfd4a27acfdf8ae82361bfc3e693df4c975ea54d2c508fa983e653f43a0f3f403f5111ea1e0e2244d6415a908cd686f219defcc11912d7391d13003

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
4ebd309bdf4c017d94cfa74118114238

SHA1
0265d1bffeba912f6c9ac638152a1e0d1ae05109

SHA256
81146bcca5e2d6881c97061428dcbe88e95cad28a4a98ad3c0d049e18ed1a6c9

SHA512
ffb3a8ccf4c1a027a9754fb667d9279c5dd6051446a7e5bb87bdcb340bfd28473590bf6a35fe1176b43978b2886f43936d957688b3b1908c0f2ac9453756be39

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
bd04c4ffa08db520350debd7a98424f2

SHA1
9ecbcbc27d04a0f14ed3725a0053978f384f9ae5

SHA256
346f74d0f6873f6b2f6eb512a9c6b36c6008cc2a00cb92eb7599d7bbc9116764

SHA512
9f5f454d257d8f304fd12a67285ba70a995e9f08161ea14ab18f91c76516f7e5ba1b9c1f6f942bbee68242e239005787423cdeb15aa6f949e0e9ecd11a22aaad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
f711987663c8007b64fa5cb76aa35aa6

SHA1
6a36a2903dfc1d9c8b154352eff075c756b49ea7

SHA256
7b3e28cc908a20f662c9c60ec3f25e045e39c057c3ae456ab8a8438f2886e984

SHA512
89ddfee38a842035328cfe75aa44f71e2b59a9d9f216608a5125167247bbf0b8a49c0ff904eebc64a08086efa4b20fd2456ff9216e91fde1afef6fe27aff0edd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3b1c35dd6e668d6df77a11592c0be0fd

SHA1
91c7952a32586b5927e0fc2403f17940c19600cd

SHA256
6cee7f5ba5767e02da84d3e980edd0ed8d7585fe956900f14c648f3caa8e28f1

SHA512
5e16d47c6d207ca7332d8dd8f5bf29aa6ec7221eeef05b161f6aba1a67fcd5904d7795eb2a64117101167fa6830274f17885eb532ae3e71bf93948b5cbd41222

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4f19409f1f4dff24bf452b5e6ed56160

SHA1
677e9bcd71d71c25b98eaf247fa0b2f0cc0a0750

SHA256
ee486f9beec941497642d914bb64f1d58fbb5a3695fbb132cc56c24a2fdd43aa

SHA512
f718d2ebbf202d44ca6151d8730f689053924e7041c29a7553d49287a9ea82b5b8128e6a605487c43615cd5331ee2a39ffb62060df880436b72ff5550f8ea220

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1b5954e6e5889f3697ad833e65ebcc84

SHA1
6392cd6eac82d6ea3613f5e1019c27b7abc63268

SHA256
7866e3b62840269d7e535ac265fb14fec410ed09ac64b5c0c0da2cb67040892f

SHA512
7cf5a0bb15c545dae0dcfdbbbcc5d829d342f603970ed2d9bca6a8310f64dec670d0f103160beb4481b3a8a0b0834811b6ca78c8aa2501dd4e882a9f6058e96b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ad919423cf88e66e44f0b2cf7dabe3c9

SHA1
1bfb745582e2d68732dfe9435f80142aebc020b8

SHA256
35d4eb191aab203b34899c63e85748377215ae7e7ee3ddd6b51ede3e2c390ab7

SHA512
5600d9491d24af75dc0a008197b5c4d17e0fe5950f3a25fe1baa0b2e8b0b8f0ac230957bad98ba01b7459bcc3a068c35dce36d604e2c13249f51bb3aad29090a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c25928f4cfc1a0c84161b0e30830d5d9

SHA1
a9205131c68d3c40efcec21cf6209e612909cbf1

SHA256
3f2916a74117bb689fa0d1d4443f628dc1131e1a48b9a92f3c77d0f8a78d3cde

SHA512
b15f9623d1e6b4fa6e77ff6766148ba1d2ef8147c1a31a5b47c5c8ac7d854fc8b89938fb0d59b85b232a2b04942fc9f617ffcc828a2d00bcd0172251544b6a09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
8b35f74be4e31836be0e1d981e6bd974

SHA1
b4f64f4ecfb29fabb566e8bd1d8bc026bbb09450

SHA256
5087ac31f7506c2685cd8a61e19fb4e9e53dbe73d0aadcd34d0931607a882113

SHA512
037f44c38684b43f204a09a00f1947c08bfc778f4ff957d5fd14f33eb871eed62112f365d6991940c6d18424bcf820b61519f5e449ff78f9f7e8e2e301057b29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
65823dbea0c132a415cd48585ae266af

SHA1
93688f986b22a71b70b5b7355642f384f1b2d06e

SHA256
7acc69599ac5d013ce7a5a64a4f88cd235aa00da0456af687b96e4ad975956fc

SHA512
8453e08888e74457fafedae4b364e690f18a5af4849b5059159d06f8b973e6d10ce467662c3fc0063b983459ccc8dd3179428d8e54bc1742a25106f81ab665a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5468c2c073589a8b7629f4c238f093cc

SHA1
0c97c96c95a4ff9d828c6248d765f771aa52bc94

SHA256
1404eee132698ce56b48ff5b135b931376006b4eced7ef4f666f1980eef81c9c

SHA512
e67e52d6c759e45e9e48eef9dd67dc08ecee08098115d56bbf8f0c873a019548ae6c358bec1b1116dc2023efe97cda965645cd8f76c53b4e09028f733f9f902a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2018eddfb56c4c7f415e52c6a59f5162

SHA1
a1fb8599b8f749afa3a64e2eefa3b6b82cdf893b

SHA256
95959eafcd4a5ffc6e1c9ce320968e68b4e0ce634792fa14ea928812a0c9f55d

SHA512
bf6f7a868e13f7df25e18aa2f55d66b9b057ef74924dde8bd905608ca7b7b8253290e5bad0ad06f4ac6d7f940a10a944489b1674c2c74d9ae491584b705d922d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e974d68dbd02afce866c8979aac932d9

SHA1
d3191dccc6ee546323516b4673b4ebe79a690a52

SHA256
ce63c4f82828849be2e6e1b725b1f368b8c04febbcfb2c29209524321318b1ed

SHA512
93ae29ffac0ae762ab9e6e3327b135532d1adc753fa4cac34a4b633fcc6aea6ec32ae813a99e44a3ad74f2faaf9ee13d8883794566df54ccd494ffd6538633d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
3c66ef863171e725248d5f96372b2c41

SHA1
5ceb33b05fa02a7e4fc86381721dffb32296d828

SHA256
95e34dc001d4a634ccf0673d272d51408825bf164098bbc6eaa886c93e3d3261

SHA512
781992f62056820f4fb08871d4fb2fe71a1f6a0df0b1dc97873a0d2c1875aa58be324640058224563237732dbd7ef350d6d84509de17022cdccfa53a09719ba3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
98d9f5ba56de3b74100bc23a588459cc

SHA1
c82d9496751ffb9f7927067d1527df7f25a09e5f

SHA256
7d84b9859ebf5a3461fbbb2cb698b4e62318c058541f3b8b1d3e28599ed2dab7

SHA512
8a7fd6987442e82fe56bd4b2da42a08484d09d4dce24929ee0460234fd4bc1b87d12fedf7897533087797bdcfc46206b05901cb1aad48cf6ffbe3dbd78ac4993

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
dbb0266c208dc7ba7dbd894a2d15a992

SHA1
05a46936f60ca774d5847fb3fc0f651fd674928d

SHA256
91a20b9b8a218fa3b6c41476fba16bec9b64eea29d5d490a15faaf128b47f942

SHA512
23517b549c286801e92da60c80d2c90aa0db866fd78f2081191802e2a6091b98ba383a5837da3bd175370933353afe5a638a0a07d542139356ca3fb783cddd34

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
82a50b4fc839d3f6a632233834ab8dc9

SHA1
e8c223028e2c26492a287398ca49039cb4648752

SHA256
4f61c6aeb90d0bb1cc4036f8e87d77efde89f5d37b6566e3272bfcfb25a20322

SHA512
492d53cd754203ec3bae09d35987ea54fea7fbff8254a32798c0063bd4504b0c8761c941c34c268bea77b66ec059bf6d8936b86ecb8d81e97424d34373fd1045

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
88983aabdbdbce514c501678f0270957

SHA1
0120f46815ab9bdd4e81958974f0d80c21d986a7

SHA256
cc866fdf1c4537bacf3a547245f1d03ba20be30996a6ea468683f107aeda7b10

SHA512
18e28588684de3c815154d89ecb3ca72962dd1f9ce8c8b0a501c1b2a64dc67dd5ea4263e16fd5ae1d28d3a1c831a2d20d730cb613a4d1756217c198a11de8de0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
2b76e6531635b507ecfef2af674ffd49

SHA1
bbaa53b02db6097a6bd5e6f7cad76ae73b53b2a5

SHA256
93830fcb83c0286d8fe3fc977de62f2be99b7cffd3b42f2d1ca2d934e4ecd82f

SHA512
39be6a53c75caf781903aa9742987c4ee8db85fab611dca8a9d12258be08ce50333c7307c1f10f2c52d8061bacb283fc487f76f6677d598427e6c4019936e201

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
723e4fab84528fc2d4444a19e5dff673

SHA1
26e07e7c47c7654fefa4f349537fc83cbbc75a20

SHA256
de955f729c1e31207f2f86aae1cf7b623bd1d86ec8debffef044c849a3c83a35

SHA512
43addc4159cd5c33ad188efd60f3a60faecff883c57867c1404c299ea890303775c0e5fc13f142b8380996843ad85ece4cc1dcb6a7c7210b8a9e9d493f3e10c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
91333d99907a0cd4bb4645a3653a7166

SHA1
537f4195a79574debc4f22f52a67073f369dab54

SHA256
909f236ee8d50153b3655efeed8a9cbc10c4f31507b46df54eb5b4e406ba58b8

SHA512
ce8749b358a71534100ae04eb49490601f5da707f81b6c565a3cd6cf86a01e8f15cc69f1a03f295fc69de3095f862efbe3630c0ca056c67c768bfd96f5fa58ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
e70cd17b81cd0f4edc2376238701d530

SHA1
bc0e7ede4b663db07fa78b76adfa8ec3ad941aac

SHA256
77af4a39db1dbe69a52f64a1e6ff9f1285f0a024be7d79b48072db931939c56d

SHA512
5943ff135da68c0d68f3423ccf62f267b7286f48f2bc32155be0de9e35240938c618923354abd344db9f3f4fff609e932b4f72fa1f4b04298717faebcbd990ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
0a93ccc4ba4cbcc430af861b4ea8452a

SHA1
25479f0b0f32c4284a9b431efd6e2e8b7408480f

SHA256
998fc4c26c8f8255b2e583c9d11c372f6eac1febb8e24690f61d4347a78125d1

SHA512
c414d44f05007e88202d930e4e66f86daf10dd5ebcbf87eb0bf55dd488778a6c0e1df46a1f6c0778638af2365ab914060a84f840855252f2e888e3faa907849c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a10550c2b61f0e0014ba7132e25c8f6b

SHA1
37977884d9b7e4626eea80370b7073c3772119e5

SHA256
c33307bab743b1c8a1ff4daeebad7074347ab7e8e5e076560d8ab6ed8c720269

SHA512
1e655cc0fc0e55a069dbb2f69b60dd34997e8f3f78cdae5f3e35e0545988589e5bd0110d867393d8103b7053e19bf8214d41466cdc048bac2cebd89585b14caa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
d3fa2ebb744dcd1badfe8f6f9436a974

SHA1
e20c66b49f9676ec14548e560d22b51d8edeb123

SHA256
3af5eb62c0a45a0f2dc54b2e198780ca389f1e95fdece21883140b19cca3c5ab

SHA512
74766055c281414ac29d824a3ae768beb559d477fbe950559df09a6aefbbf49630b47e5b5bddb2936f0e864ed38557da5cb14a6b93f6191c87bc3778719c5965

Download Submit
C:\Users\Admin\AppData\Local\Tencent\TxGameAssistant\TGBDownloader\dr.dll

Filesize
74KB

MD5
2814acbd607ba47bdbcdf6ac3076ee95

SHA1
50ab892071bed2bb2365ca1d4bf5594e71c6b13b

SHA256
5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67

SHA512
34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
83aff57aea6d30d0ed850f016fe1be5a

SHA1
7b5bbcc703a53278981718f631cd4619a8c8ba7f

SHA256
5ceeb5fe54190634ab112e96fbf75b5e2d607e66f7a562f422852b54a236a648

SHA512
300664f1fbf3cb39c540c1c7a0f5687515d7096aa02a1a55ee47c1d5df7a151bdd01cb65bc0f05ccb2412bcb326036b5092454630c9cb7ab7a41ca1e940ff296

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8d7058b1decc37855b751a6456cbc94b

SHA1
fc980164b7fdec98d8be862f074748f11b61e083

SHA256
75f70b48a10a42666c7c712408413673ed1ba8e41b23db9131b9d6221fb0d1a9

SHA512
63c5bb8d162c2ecac8e5c75e1d06203a2aed5ffe7d1e5876aa67596a514668bbb19985b916268c768085a8f8e208a696dea87b149f85523c1b55d6267481890a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
a023db00c9e505042433547cd1c99408

SHA1
e0888f6b411d3d6b47d62b8f7fdaae5d2deaa91f

SHA256
f514515486ab1be1b60528e9841371c10a8068a4d5b2361fc1f5fd484b3da362

SHA512
8ac47e0833f69428371831ee12b78826ed234e6441b1691871bc4d5a44c9da6053060b99a5135126a967cc9765ae926599fde63fd21e313e0c04ac59d86a8a04

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
986fa82c4d7163d0ff58e333ad3dc6bc

SHA1
6a6745ebb43e99cc549f7d995270d14eb58b9633

SHA256
ef6a144421f328aa0f4c020b554dd46901dedb20f7828962b37adc3333579e54

SHA512
54a00bc65f0faf0b52b215c8311692151a2a29c4d140a774dc75795dcd37aa71d9e5eb4edd675e33b1a86844e56aeda92129f45d20ea8039d419566f46be4d10

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
62e7b250554d05d64c3c11a4663c017e

SHA1
859fce1b9336500c1d91b92455cdf43b247514ef

SHA256
eac20b171d48817ba1bd460e75a9633617c0e85b5fb6c06bddb0ade3d65caade

SHA512
11b9e2d6ee498bf0c63843efb484535dbf0ba220fc93af87d28622810e161f820b012354d08502f7b3414bb53e45628d1ae5573f4aefb89b805f7c2d2699c7a8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0912f746525b514331ddf0779d36a4d2

SHA1
d5aad718e8b31e5f0b39a4db7f90eecbfc4f4116

SHA256
fcd8a72a09e0a371f22f029f017d64c2ae45eff03a3360be877074aef60ae227

SHA512
c0093680b13acf427e467746890de833bf14d52015301ef95247c6b14052c6d67682a3fb1a1b7a901ca81c97b939e54e5d2273e7d2909ce14b6c0cb324deba85

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
11db4f88a9eb4bd2cc108eb9f77b499e

SHA1
1c4984f6392e578c3d39034c7c0b25662baf24a1

SHA256
95059df9b761b0f6e8f51f533b8cfc91953ef0d6a9f7a2b4f63b232f508b757d

SHA512
5ff5adf53814bc80c4578428caf37f08f3a3bc75d7eb67d32339b2c45cd8fc7e789173d1af01a4897616ad1992e55d5b0a48df13dacb10249c4bbc9c00c77623

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d528b92194b8b9c1d9eef44c1e0c8105

SHA1
ca2ef50fe5c8fddb4d3f83c1eb44390d4646aecc

SHA256
dbebc1d7bb4f0c4f505e183b6334ca14bcb02c519d26213da65a218b3138a312

SHA512
5d3727b15e6b472c20ff052c6a7f59b4ebcec4c5f75b443daa50dee7f1088c5fc70b40eeb037cc5d1fbb0dc7a7f1d8046ab67b686ba610dcbec6ad93343c9399

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7cbc15b8ed96410f778499667a78196a

SHA1
abef3726a42cfcd98733e4345d545ecc79d01f01

SHA256
f1a86f0377f4d77083b3f402b7764e94476228904b978f64f9a77089f95b0ed3

SHA512
7687db1cc8ee8ddddac166beaa20d5a6960af28d14116e90977b0ca384c39a23666b0dc2f67f853912b5508ed3d30a196d852cd24dcefeb83ddec6380a79ca34

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9f16ca98301c452441cf99566605a32c

SHA1
bff9f0db666c64b2274e833cf6998cf895dbf807

SHA256
1ce2066d44f8a47028d3d828c9354d5dda1233b60e35932ad36155f8e9716817

SHA512
71e9eb6bff384dda4556d97900d1615b03f72afb3d5fb7527bdc273f1b8cb8a211f9a6c72d7d1b861a688a4255f312cf39b975babceaea0ce72d3c401026adbf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
bb26596744ed9f0d7d6158a0887c8e64

SHA1
d14782371cc3590bea8b4f5e7597ab50ffd6c7e3

SHA256
45992710a7cabdcf78d05a7862b3a499762bf8585a97c729c0a7a33b9a219496

SHA512
b9825062de32cad034626eec96bafbb8af8152e492873c427e2d52923b85d25de41a00ccd6ef17948f43857e0e36a64151b51256e27d67adc9ca2fd73e6e2054

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4e1bafa74f1b707ab328e99878c6eff1

SHA1
7c7e8ee40852fc40104df3666f26e6c8f7b856c1

SHA256
e9749fea92e4d22860503f7be1743f9c7fc93a2c147c3d9305f523ae669dd65c

SHA512
2f5e1c1cb178ac701535cbcba407063bfe421a37778f2df8bc9adb244dc09a3b429bb105fa8c6a61b1bcc585d7d4790e9412e7584d85a88734f7d08c0a556f88

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
548c01d4ac8cc51027baa91a27497790

SHA1
a359bbe4ae40c8c14c2861a1e205a5471dec3371

SHA256
8a480149e037016293e4e2d684b8bda9a4456905d4ea8f1ebd8d3737fc36df27

SHA512
a4128527a728f025f2da8db9818a1dac44b59c214985e5a1eed8376907023989c29c9789311e4cdaeb87c960921ce3996070e9eeea695f10ab6ecf3f638ad18a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
7d178a2502203df1ba6b79ab0495850e

SHA1
988adc9c403d5871145b3a779af569abbd5a9878

SHA256
e0f340fd53006a0a971d97f7193f4e425699ff1d38039b9719f9e0cbd48dae1c

SHA512
ac047168376fd36a8f4cb71c6bde761b9bf0f58ed2f10b616086e9b116bbeaa168c21dc56356cb0508d22175e77ec0fcff1ce860a0eb48406f2d1c974648c67d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
4af88c593923ee5cff22c8a607206cb8

SHA1
06d82328872fe7751c9b3102a014b11b8bad3fab

SHA256
3e886d7d045d1be3451ae450d5cd7b1a07a55beb8cfad3aaecc865c9fb155bcf

SHA512
69f86f676cb6332c89b961582946a51f4fa68a7052fc3d0531d307b5c739df3e020d4c63b0357a37a89c391c52749f53a2a2ef53388b2c166f361182cee7f0c3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
87b5bc2aa0c863191b17954f96f8911a

SHA1
4a957b11230c08f48dde24bc2bc829bd8463773e

SHA256
439dfdf877cd9f4de293573b4e23001e75f9ccb05685434d2df618e5be5f623c

SHA512
4bdbfa9f74170b292967114e39f93efab7a9db55c76b2776e91d169f25189f736d60bb9e77c0d6550b4c9af6f04fbba5136eab8a8fa18339e79dbbe4dffb7765

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b23e663ba70ea233ed90d5207bef5730

SHA1
27868f51e05f9d2ed831dc9ffc96ce2153a25f27

SHA256
f486b11ea19672b5e19b47c6975ab23eb20449ff04b78b90575ef4f5a6fca08f

SHA512
7371239bea7253ee04163ffc1da2d812052acd0514fd232d67490e9325e9d1e595d68da7d76d7a2ce6b71aea7a2a9a2bd5c873a23c212a0b9c7f0a98e695c7ba

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
1bdfd31b29035bdbe7fa578a38c53892

SHA1
14ce0a300a5ab35d4f3ed534e052a91b0f6e6709

SHA256
f1c9c6f7f24e4c9402b85d11a26e374b257a45a65f96e0f119f3bdf686c08d7d

SHA512
a0c07262b74182aa2c8e7d1eaf17324b3f44249081506b83b5562de4304c2c08948395efcefaf7253e9b1d531714e43fe95e20c2ae02420bb872247dccac8943

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
6602a3cb2c50490df58539a728967d0d

SHA1
59db4f6e127267bbd972ea6a4acb91f7db4cef70

SHA256
f444e182d334833b89903513dbf003511ce27a54476d0c2549d65b73ce3374f1

SHA512
f60b5a51825e1dca872c9f1afac6e71925b194139d3715d247590175bcd925e783f1733bce37fe9586cae5035562fbace71a64b5102c6e7a132dc458672c9ef3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
836dc849e60e18a8c05c09f5b46751b5

SHA1
c320c4875c8e46cf839281e929326521182f41b4

SHA256
8028ad7c753841de7fbfe8ff37a8255be6464d3de83e7b7857ee0ea16f6fd22a

SHA512
f695982ddc2b07860193d296b42c1558540ceeaf711aa4c526236d77af5d5edb2ca3e682b51d3ecdb787f852582b3d7b016bd12db74a86592bcbf85dedf941d0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
b56cf0e97cf577c94f176be27820eccd

SHA1
9b216bcbd431033278a85f59e338ac99f9f21400

SHA256
0a3dd4a6d202525308b6adbac1c7bcecbffc0d1ff8f0819320640bddbdce6957

SHA512
ba844a489370bc9f0c88176aa6ae05fab87f4dfcb88789c5e5ac3f5bca2c09fbdb977fd877ed24a0b77d3ba5c4b0334e9ba3f43a9a5f33a1bd295c328186e556

Download Submit
memory/456-174-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/456-445-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/692-169-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/692-113-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/692-108-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/692-107-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1192-338-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1192-153-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1284-446-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1284-179-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1760-159-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1760-157-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3156-443-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3156-170-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3500-178-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3500-121-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3500-444-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3640-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3640-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4056-118-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4056-173-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4068-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4068-424-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4172-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4172-404-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4276-106-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4276-18-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4688-69-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4688-61-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4688-74-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4688-72-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4688-67-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4828-8-0x0000000002700000-0x0000000002767000-memory.dmp

Filesize
412KB

Download
memory/4828-0-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/4828-6-0x0000000002700000-0x0000000002767000-memory.dmp

Filesize
412KB

Download
memory/4828-1-0x0000000002700000-0x0000000002767000-memory.dmp

Filesize
412KB

Download
memory/4828-91-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/5032-161-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5032-83-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5032-89-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/5032-92-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/5060-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5060-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5060-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5060-58-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5140-23-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5140-24-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5140-30-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5140-117-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/5248-301-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5248-150-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/5448-44-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5448-128-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5448-38-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/5448-47-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5496-125-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5496-219-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5524-95-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5524-101-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5524-102-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5524-165-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/5576-77-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5576-156-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/5680-137-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5680-246-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download