66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 20:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
Size

1.2MB
MD5

cd1f9a7a1bde4ddc215035c149ce3040
SHA1

b232835430f45ede6e6ee1e8429d832fc60ed9f5
SHA256

66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35
SHA512

be60571eb8a06648e1e13153583f2fda0206515ad31bc852d83abc10ae82d0b6a81d5f3782b636bf1f0c716758c35ca87329149ee6f337d6171f328e27b5430e
SSDEEP

24576:WCCOhIJF8Ve1UqCgHRr1r207QTD0s6dm8zHUnXiAEairhIam:7CGYiVeOTEs07QT688z0nrYm

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2344	alg.exe
5076	DiagnosticsHub.StandardCollector.Service.exe
4728	fxssvc.exe
4904	elevation_service.exe
2588	elevation_service.exe
3724	maintenanceservice.exe
1536	msdtc.exe
1776	OSE.EXE
2264	PerceptionSimulationService.exe
4444	perfhost.exe
4052	locator.exe
3740	SensorDataService.exe
3268	snmptrap.exe
2432	spectrum.exe
4212	ssh-agent.exe
4424	TieringEngineService.exe
4456	AgentService.exe
1400	vds.exe
4544	vssvc.exe
2260	wbengine.exe
5020	WmiApSrv.exe
1092	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\System32\vds.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\locator.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\System32\alg.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ee30981b240c1bce.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91656\javaw.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002c222f88b012db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b667d888b012db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a8144689b012db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050e8ba89b012db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b51aca88b012db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
5076	DiagnosticsHub.StandardCollector.Service.exe
5076	DiagnosticsHub.StandardCollector.Service.exe
5076	DiagnosticsHub.StandardCollector.Service.exe
5076	DiagnosticsHub.StandardCollector.Service.exe
5076	DiagnosticsHub.StandardCollector.Service.exe
5076	DiagnosticsHub.StandardCollector.Service.exe
5076	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
Token: SeAuditPrivilege	4728	fxssvc.exe
Token: SeRestorePrivilege	4424	TieringEngineService.exe
Token: SeManageVolumePrivilege	4424	TieringEngineService.exe
Token: SeBackupPrivilege	4544	vssvc.exe
Token: SeRestorePrivilege	4544	vssvc.exe
Token: SeAuditPrivilege	4544	vssvc.exe
Token: SeBackupPrivilege	2260	wbengine.exe
Token: SeRestorePrivilege	2260	wbengine.exe
Token: SeSecurityPrivilege	2260	wbengine.exe
Token: 33	1092	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1092	SearchIndexer.exe
Token: SeDebugPrivilege	2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
Token: SeDebugPrivilege	2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
Token: SeDebugPrivilege	2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
Token: SeDebugPrivilege	2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
Token: SeDebugPrivilege	2452	66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
Token: SeDebugPrivilege	5076	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 2072	1092	SearchIndexer.exe	115
PID 1092 wrote to memory of 2072	1092	SearchIndexer.exe	115
PID 1092 wrote to memory of 4320	1092	SearchIndexer.exe	116
PID 1092 wrote to memory of 4320	1092	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe
"C:\Users\Admin\AppData\Local\Temp\66efdcdcd13c99add6b8dd2e5c34472ce0de488aa23a88dd0969fd43d5e78e35N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1028

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4728

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2588

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3724

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1536

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1776

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2264

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4052

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3740

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2432

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4212

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3944

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2072
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4252,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=3852 /prefetch:8
1⤵
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe

Filesize
2.2MB

MD5
c10e74c4c63be8b45e2ef04cf7969ac9

SHA1
86f462afced7ebff1b23e97a8292676927193213

SHA256
233ee26877b5f28ac8ebd9f24cab388780483f4f4b9e89434b19397ad8c047e2

SHA512
09c46fde7db53e250a7a4f6af1891c4fb706a94441fca96f3f3f60f8384954194227c11eb72eea5a6f74bfe23abc5bebb906e58c22d3626bc11880d7e9da0c58

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
2eff78c034db7f16dd81c9495230b7f4

SHA1
7675787b949bfa2788ccd47c0b2bd2f40ca499c4

SHA256
00511e6f23a40bd45d3c259617dda8412e532feb71f8ec14d7e9b0d660aa4d01

SHA512
02666ca162f020998ba834831603ccde7292cce4ee7a63c064faf2a33c0ae4ca4ba5c9de2feccbea4e90073a371046a3da19418aade666a2c4ae4ec961cdd31c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0484e513209942b3c91bcdd71a32362c

SHA1
9f6f15b2c09720e3f5c2a1396497f3e1c5eaaf74

SHA256
c17a9652d759218c86b1e859433c49983bcaf4e50b1ffd05d606e6d1a8f18e97

SHA512
4244916e796237d90dbcde39029c15eea9fe67592753f4e98b10323db1fa636e9b1de3a2be90a4aefa408d6160bbb16467bb56cf5d83514bd6da00cbe61c4bc2

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f183068954d60ba005704e89f1cf9fa2

SHA1
8b32bd745e04e3999bd98d9205145cd854f7e93f

SHA256
4e094009b0fc5ec5eeda0ac4b65eadc4bccc422105e76ac73c0b1ab315966d7e

SHA512
de35587703e229b440de8968ba2f8ec948edfc65aeb1664e3bc721eb0fe19648f5b16a09f5f281034087e2f937a146a49ea2f74525a2c8b25d75fed5832787a8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
871fc7bc2e9b8bec1029312f6fd8262f

SHA1
b95bc26a5a3f0afbed4143ccb6c8b358717bace3

SHA256
0444aa7748953d1c917de650167cb9121d4ac4c0c71702dfbb3763318cdb49c0

SHA512
cb939e4293b19c69fc8e7f0cba0fc69e55cea394e4a733369192018f8a46b44368c5cbc26cbaa47b6f24cf6bb0cf63f9646c42dc290c89363dbbf152fd3f5140

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4a92bdc30a9c9bf8bfa7fefc1511abd9

SHA1
85e6e9de29fddf5911516a429718e1a0d083ee08

SHA256
a4e59c15d194b3f5add827e3475b6bdd76e8af7ceeb0e19349c6f117e2e81e63

SHA512
0eecf18b0ddaa7038e42fc41d74771d2455a64d1e2cd67479c6b467f9c75fe263b627bf5e185eb1ef4e7b7057bdd1898711b6f3eb2abfa5bf0b5a328871ee24b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
0eb8ce8dd8f563d06984cd328ddd59a1

SHA1
a862ee88b133af08642bec7ac277146b26a1a258

SHA256
7ddde98349f7c869da073cb2b11951ad07c17429c5273a055275f92dbcaa0058

SHA512
64e57d8be00f0dcc74404b8392336c5dd0a713ca6fa0fb3426e6336c7e2af1d91b6d033f2fb7c5b2df084e405cd787172f20c3aff89a96dc5cfde0d036ec9d6f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
46dd44af8b36d172ab1373b30e6e8f82

SHA1
a4e8e2dacdb83408b5e7484730e4b96237a06438

SHA256
14f4cf8d33c102bd43823b9a8ffdfabf93eb52ef4f84c345ab00408fd20e9846

SHA512
2db866b1f5d0ed140db962a53520787aa1e9a7f0dcf18d99e3193c7cf2cb3914325ba5f30f2dd2b7a8b56f8361007bd5c4014bf406620fbc4118c8fdb15c1eba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
1de1285acb0d215ca10f2c08e09910a1

SHA1
63ad84f43d56da4dff832bcb005c5a55e408160d

SHA256
c6d36af259f74ebfaba9c4923bdfe2b5ef941dee62f26e8d1341afec6dd642f1

SHA512
0352ca2b805a5cecc6e0969ab865d975b988653cb014f624ae855041ee7232bb795c5b18a75ae3e9f1a9680640f79466c11876f6a5cc585bbc8035d451807f01

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
93d866136fde6d95ccdfda696fbcadfb

SHA1
9cec51aa7740744b019200d0229a6fa853b92734

SHA256
c0aeef5fd58ccb714fc5645ef5e50b23dc2d9cf6b76baf5a531849f78974d904

SHA512
3fc805680b5045b886e921c0739ce8c0ff31ed31112263ee62deebdb46f4257d15f5a7f8bbd1343c1f4713ce6bf86c735ce4a3623d2405a39df0054c97f2abc8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b1781fd9f707550fbaf05d6ad5128ab2

SHA1
77556b41820ffb7f27175d5c6e92b7167cc26c24

SHA256
a0604a64fee02b040c2fb7cef82c428119d5362880bd0cef8e602335c7bb16c7

SHA512
9bc34ce9f24a6265a49241c119d351206ddfc748902c3641632ac4bbe099bae7f20323a437e718c893269f0ce19e8c574665dad1993f97d27c9a64baf21e581e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b9428f6f0aaf1473f1d864ff45537b04

SHA1
58f10dd73988951fab66027cd1442f80af644f28

SHA256
73078d032ef5ad48c25cf83401f17fccf6d6fef4e07b73352bafcb9a1a91288d

SHA512
5c48d2f33d6de77b37ca2b376f5bda088e71c3bcdca650f3f3f8113bd778230e1424ef5373338a8e7eed051168477887daa0d39d5de4ee07dcebb8919cffe10a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cf1686988ff61c4f709057652c747769

SHA1
0138e45fb74af7fd9f850735c20f7017b4ed8f9d

SHA256
c23796ece46276409b045f1d73732dcd00d5081e184a731c76cdfb6fb94767a0

SHA512
f836acb49b970b2f3e4700ff8fd90624cef2716135f4661d1839930019268d9279481e95908103c9550dbf330460c936cf3908045ceeac3d09aa55a07fa68665

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
cd413fb522330dce32220a65acec5168

SHA1
10e0c3395d528b326530f9d130ffdc3988bce81b

SHA256
e709261b41de6c96472f15d227d8e7a1d7af1eb6e7bcc3064fe4803707f0aed9

SHA512
0f5187f1e3c9d67ba6a4f7015b70e330b680318a5f3e321698b65fe8f0edc5659b107ba0e733e76a6a847a560031341b310591560c83378e28f1ecb39c3b5d96

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4c372688a8e27c009b04d4b59b0c3892

SHA1
734989e88798ea672aef5052d0767b3ce55a07ac

SHA256
4a78e949f2d9c139c8a285b93eae8ec356a69995e054a434832f5f92148f564f

SHA512
09068cef7819d2c0f4b778faae071b60efdbed6e37a79dffefc09141e1dab7db80930e39460ed477c0ed6f934306c13a02b4cd6377ba4a1fd18651f551d0f492

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f9dda19e83877dd279880ab2e67f78c1

SHA1
905934e47b6c5b5badfdef41ac3dab01fab8c340

SHA256
8164709f1a47e635a95ba350f96763ff38ab00f1eb315961511cbce2cfbb41c6

SHA512
1eebf009ded8faab8aa1feac8a6783fb2d8ead1b385e6ee7f6eb9427d38baceb7f7effe8092b8b00db92049b31790909f0e8950627f20228a358ac3b31ad3c75

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c6ced4a1ccd7a6fa23639115dc7262b7

SHA1
ee68918aa456243c4a6114cbfeaa8eb44ac14a6b

SHA256
313c290adaa25c2985a991c5d276bee6ac2267ca0106917cb71be28aea9ca029

SHA512
32616c15eb52ce65855eebe347705ad6b9710e2212cd8699f8f3d2aefc76954520fc119519e5992d469ed402d0e73fb9be5ceab81d197596dbafea286b5378f4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
ee69282d22eca3ef299fbd638c5a948b

SHA1
05e5583e46dc7d574b3979cffc5c406fe6788a74

SHA256
8f989795db43aa97de21285b30d8456c8334a02eaf6c765761d66384353b3aef

SHA512
c6757c267c2aabe2996806e5ba90b87b5d15ccffefc61a4c1045377ca8a0684ad4e4c77531eaa040298b33ea698d0bd49eef48ee282fdc722a7c5cdf4227a5a5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1d7ab5ab1790a4f6ac582a49ec2390d8

SHA1
857acc0ad7977869792c21f61b60bea81173e250

SHA256
504b961066b2a72803a552453d0fbc51eca56605ed78f3f3a34e9203fb2e9d8b

SHA512
ba082fb5df65ff699b11564a0e28a0efbbfdd9d35e3e8d142a1045ebe3adfb3d6039dd2d258a0793536e2fdd4529d45a0586bbae51da1af211626f287f87581b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
22da45022cad9c5ab70d7c86b2b5f036

SHA1
0d4cae6d2a6f00ee60c7b65e9877584eba3dfa20

SHA256
d1465b82f732652f5aaf76d65c49df80e88b510f3a4a1ac74f484099446fa8dd

SHA512
7eaedde8d2a956a1c0f5a7f1df3d7d943f007bd001f2870d54353ebd08b4f709d05658f74be6bd2a1c73b168189b904c7ed69c8b343443f93f0e3a2e5e5ea9eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2241b49acd90021c3b93d86e8a758ca4

SHA1
f5b1012b490b47819a4ebef045d58301b202158b

SHA256
221ae3ecc8cffe1b162955927d1ad063ce8ef7b3a1065743531ff89516a11c44

SHA512
839f0602f101e970aacd4c50e1dee7a2bebece629160fa4ffbdd4a906b1f081a2ed35eab9556c67d420482ab666a3b270595dacc3dd19f177ed9b2779af2409b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
24fd4c80bd1c4b1787e7906ac2763147

SHA1
55e8a5a50d31727a0bdbc013b2263fedfa94b75b

SHA256
e05f9a8d149f012b8c44f1b1fb22dd2da5803fc2ea229cd3b17eb56c7c4d0955

SHA512
83f448310107dcea02fa8f869c6cfd93e39cd293bb2a1807f4d8deb87f57d1fe9a85e3e55ec708199e3663a7bfd2dcf5c3485e10b4bcaef2ea0185865a851aaa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
0cdd6a99ed198d3f7ce39379087356c3

SHA1
8fe5d06aa78f77b3b7a95854814241894420628c

SHA256
c967d57d520f6caaf45e72b5940065874a859464bcccf4040678593f3fd23da3

SHA512
f7cdd2e830ddc1e64c5360e391284c0b96f4ca9c88df2f257b489a97abb710e3d64bae4eddbc142583dd9cb8d33034cab5d6f09da83c00800e891a20bbce7ded

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
42a954c1746bf73660734cc9117db8d6

SHA1
f70f27d6ea71566556b364b7d50a821f22ef4541

SHA256
451e22fe0c1925b19416e7683f4dbe1c11538c4e7bf6031aaddad51f51860543

SHA512
56a1c25b921018eef7a302ee2f6909d9991656e8c849587bf1755e59bdc08f28be0fba6142b9dc4ccfe90b33fe123bfadbdb29c97fd8c2541394bf222756f63a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
379252df019ad6024ee58b64b52eef3b

SHA1
874c9bc451f0bb7534ccb6ae274ea28aea5edc94

SHA256
f371f79d5024e65493e1a00afd57eb4d2c9ab1eb851594c1f1073c45dad84508

SHA512
2fa108c91f5df026010981f6e3eaab24babdea920a401527413768084b71c9072a74a2fec423e75e7ca5db83e9ad71d875756c92c4215afc01bedb2fa1403cad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
47ff7dbf1c6c002043e56160f8c1f978

SHA1
06377cb33d8bdb8753356d984b5020e74f3f0d1c

SHA256
24fbdf2c7d75d9726af70bbb34ad4a1aa892600326d8506e9ddd364b8ce6f43a

SHA512
c872fddd51a77ccf9d2df43a9c455d19cec6da0655ba2d315622fc1b87e594b9a9cbcc15163535660592e74f1ee4d58b98a94057fd6617a0c2a9457755ec2257

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ff593397768d490540e9bfc1b4f010d4

SHA1
91a217dc65215cfb1b8f1f341966e34799b32680

SHA256
3d0f5e3ebbb98e23f931994c8a0e62e6952bb16eef310899c8a6cd18cb0cc075

SHA512
290e5ca2943622ff9a34cf33f91e7d5b045df68912a4930abacddf41076fb3caad6533f736d1e32291d6c87544c8a497623c19263f783b8a0a12f1335b48bd0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f08950859439ece592b3d0b3deedad4d

SHA1
0f3f507b19fcb46593a1a51991205f83b97a931b

SHA256
d308f3f4fc4b383315e60fcc0b5f355302743ea959dea9dace207384cf6432c3

SHA512
ee7176a0ce43d3bced29bcea1c1dd36f9850a54564e321da62380a4fe6e650a4300f4ee877b13b9edff24ae080239dc19db5b6e4f9862f91f3eecd6275c62c17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d50bf362ed914adf2c8983e5a0d7ff4e

SHA1
c9cee0fab37c0c86aaa8702e59b0ecf77eb95a6c

SHA256
2f882b6e0e1fe3f02f2a1d4152d022cb5691a487d8f911f0a90982c7b4b91e95

SHA512
d12b8e6946b636505efb8bb7d153cb7c4caa0e80991140a364463f7fd8ac54fb694dfa5f8f3d881ffd4a49e1d1dc2e8497be9d278ca78ea86726b38a92c0de35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0bc2a25265fd74130deedeb82214b543

SHA1
ff90644efd0595a63a30bb21ea72195a1de98383

SHA256
71340a0905a2e29954ec780cf8cba4845f828c3eb498dfd2a226072ed0777cfd

SHA512
9526783ca53f2bdf289b6d3f667dfb26f622533372c8499e42642a34e4708906966e7c3a6bdff6f2510b6c7a23471a631414269f898c78f284ea3271d0fc7fa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
26b32fa57773b1b051d855107fb9fafa

SHA1
3a0142a41edf8aae7d67e6e220d0971cd3cc65e2

SHA256
81a8113905d768523484f23f7a00612d9149273473db2bd0f9788e89bb329a25

SHA512
b6a391685eb79312fda5793645a8b03af50ffc0122c149ddfc21c2d13239f1fd5cf360bdc0de3f3a65d1fd410752c0a3612bed6eaecd0b90f4af45fa524b9fc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f73beb1f6357cf719e590bd4dc74e5c2

SHA1
512687a11fbdca7dbab8ec677767992682afc960

SHA256
1bd5d53e9df03562ccdd8fa3fb0670207f31bda060172186b62e2f33bfebbc41

SHA512
d6cedb660c6a8a63fcc5b16f3fe72f350f6757932fea1be3c0e1e51d9612c9a97922d55e261bfae4e31a70f3bf038b5bfc6d2386c7776658e858b1ad5cad5b59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5e430de26af0a79957906ff0f93b7725

SHA1
cadcb6a2d64c8517b01e9fa470e64f9007349b8e

SHA256
1ec2663f95609718e3ce39d3628f3c5a5da82952557a118d1eca4333f284a874

SHA512
502a42f848d073cc8b398e6c593192a17667ca146c659a955b9cfbb2317f1079a4a337d1da7a466c36d11f133311e059f3838f55b781b29c6a6b1ab09e1225bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
72f1530c5fd1e0606cec42e8e60a743d

SHA1
e03cb31fb3fa07f0ab6461762c672ef28c7dfdc2

SHA256
f5e147d589b329ef72c3e3617cd766a2358f0f68e0f550836c0df81c52a49c13

SHA512
b7b15c7f2bfde867cf4b88639945025f82b10000c92884066ad7eebeb88b292cd02cb8e81337a462de6371d178a766021d0a471c77f2df9216d09f9c0bb4ba9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
475025a770193cad858439dcabe2b8ec

SHA1
1c1b217f1398fe2f74255b9445208146ee2c62e2

SHA256
fbce3a2260b1d39d0fa0e58a9bf8b3b98734e03125251944646d9ae2c658189b

SHA512
7545aa1a24ac5c7b2ac49f1ff39e9abd612857f3b42bfc33b71c3000e5f8f7ea01f17341ee605f1221ce1a4d59fe9c45f711d38b2d705baa4d09938b2252709a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
cc5a0b2f13a46cdd1e5a22a59c162856

SHA1
ef4660b078e1a4e0d83365f6ecc26ff2e027572f

SHA256
a83d7ea39e658ca3ea683acded9958a8c22e76c0913eee89bb34f08b64ba48f8

SHA512
301b9492b3a9cdd13203b1cc9b4632d72365259baa9609bee9f83107bdcef38ea3eec36a3941245170b8a7928450ad868f1a1efcc63978763e6136a1b64bfc28

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2c01196981642c353c52d77bba45f2d8

SHA1
262b6e69d25214695bc884c1ac2f91665ae7449e

SHA256
0707e26d08f6e61d830f1ab187c71a7a9ad519e9a62c9809c40dc22c974f2956

SHA512
b93f35a482b89f13ca6ab54742ee99f37670c0be4053aab278494e4cfcbf5aa61c8abb4d9e6e3eb745a1c702ecb69a2cb596d6b71d9a7e4ae328d5e12e0327be

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
75a446fc751f99ded7c938da52c86190

SHA1
da07e025f4c8ff99fb83a8f87a6439cbab2e8c02

SHA256
c6d8b153d63125642a50d734373d7be372297722aa0ba784f5938af3a5770f6c

SHA512
c7fcc0828fd552f0827fac03dc00eba461b506571df2020110758c4fda8606638359fef505e67a7660e94989a7da111ae623b86689c03ad730aed684b1e26541

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1a33c0f289a310bf6a6b33fba367bc4a

SHA1
adc28f317fe9c1800890ac087525a8e04f522f4f

SHA256
df8e085123d62f20606395c83ad9458070910534d224951411436c7e549e190c

SHA512
7ba7150d100375d1d9c30b202ad52a52116ffd0c90e1ccd7b985f015e669a9fc8f407e544f5d6668a5df6277ae4994251cb540f4473e303ee5a950b6e5ec9dc6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e8ab908099da0d4f27ae7f5ed6e5dc04

SHA1
be1b49bbee5c0074dd7da1653cc089855597d56f

SHA256
928ce0d48cc02a289e455a518ce885b9666cf89815d47ab4f02240b9363b8e42

SHA512
eebf55f8c732207c4e8ca4893d735bea816dbee7c0dce34d6b2adfa2f1db09097d2b1b2b6ff04c596347c2f1c947b982db62424f6c432730039e2310498e67d8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2c0c7eb1198f99a0771f805e19d0144b

SHA1
c0af4c20f2f8d016dadb0919fedcd6fab13194e8

SHA256
37110b5782e213a9ab0cc7b15927de0d072e34c9d744376616ef3bd1a6f8772c

SHA512
32e32bef1f42681f16679ee4956e0041e41c35a1a69e780a9808842bb7cffae5e9af1795c59435c74621c3f0871248eee966cd3db44247f3719aa33e57c3e9fb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
de116d7c94f5e629f2895921a41444c0

SHA1
5c2507d6c8e249a61bdbb129fbb5b99ce3c56096

SHA256
f905d829a65219891905f7e86f231a8f24b702139accb9b8c41f81238dea10bd

SHA512
08d2a9ec0a50ed117e10e3b363e1e7a3c0f449e98c0efeb613db2326f7ce2355c1b5d9904f7ae373fdf7b6d773ddea9fbc4dd93290fc6d206c1bbf9609d6bb35

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2195b5fe841439cfa204904f00d746a6

SHA1
5aa86e5bb9cb7fdc157a38d68c1b69c2df77bae7

SHA256
0af7f636cdb6eb440c3700cc03f0821cc876e714cf78121f66b7675f25924188

SHA512
c490ef60bb45434be72588d7e12f8eda0d9d3319673ee39a273ef73376e9bd252190eb243b2192f17c6c09346fa06420e2948f952276acda8f5e6229bea1368d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e8ed57877f92cd3f1913d8ceee71fa31

SHA1
e1ef0896ba92c1dc72f3e21c33920e47b92fa61f

SHA256
3ce79034d0ff629d318305c3b755749659afce07a0921ce84e9f83d7a2cbed77

SHA512
ad96d916559ba42bcf322d38977ab7e3bb5918f2e6928a18f69979a41dc96e4a49d997cf6ca5b1609e90ae88f4c1f1171da9966d59747c083314cfe78d20f3b7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2d982c7427740bbe7024b0b3062fcf4c

SHA1
c9eb547f4ca14b21cf655ca4ef2678fa5700ce3f

SHA256
8ab613781359e548ab56046b9e1d60ecab8ed3bb2ace8a2b5b8db3520c1b72de

SHA512
9131827449f08593ef709dfe8071e3b87be666fafbab35bb58068107b047dafe033566038b9a43d5fd99f41bed48012b6b047804c5b6d8341ae784169ba03aa8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
100ed8ed959aa53accbfa142dc818fb9

SHA1
b912473041b89a0968326499f0caf1a507482e56

SHA256
a08e7c5fbf1b3a027ac4da4d6c63f1d880d0ee461d3114032a87641a50a3f150

SHA512
80cf6f2c95f6ac632993b7bc4cef4882d133e8b765d4ce87d0afda92059faf3a8922e5203e5926c8d8ef792317e8b374318ee4bd78b40648bcb52a800a296543

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
af1a2f945e82c486a5bfba3f259d20cc

SHA1
bfffbfd3480c9e0cb321d46b59117b8582e2634a

SHA256
ffa0f28471f9602c996908f4ed62658871a5e29a83622f47ccfb363c1bd72798

SHA512
e01d744cf3349a01673959b0a00ba9c8e8c85e91c1aad5c81069e4e2f3ce4847fa0d3315ead2e2963cf688ab2e3bc3e67165d16f9fc6d18a88bef91c80b5fa84

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
45e7c73886285573b437d967f988aec0

SHA1
1e1ed04b7b71dc26371ee094c886b0c48b985de7

SHA256
fb7ac20cef225a944aa48b1e6e2b7fa24439131b9d30e983b46b4be77ffcbf79

SHA512
af8cfb7fd201f2fd85c836b0d99c22918653b378a8c64764bdd0178aefdd5e38972278bb16a37017a8b2f555c9577f9bd71c0950385a394e70b20b59952550de

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
268af59c3f521399d8df83e6272d0dac

SHA1
28c5a53fa943301f77d07b0e080dbd892cf81f86

SHA256
59fc4ae16fac8ef2451c539fe269446687f76d5646e03357c0c6a5cf47a3e32a

SHA512
449bb6d9a197885e07c968e1f0af861ce45eb60bf9ca6c6867ac8e302a5864923eacbf923878261830e3593f282f06e9d33593e3fe77cc7c4b6f08f5881ac3a3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a1356ba75894c29faea20eb7abfd3841

SHA1
42d0d21d6b6dc49764748819764d709578a9516e

SHA256
9d5a98ec6f6e748580efd87b1d29da41c98ba04af99fe0dc732d09bad55692ee

SHA512
11a33960f8d204f3e4236ce84794f838bdf09aaae870838060b9e81e8b6b5fafa9568c882774573acaa9e7122ac0d059da2c2ba387281413dbf605f981c1fcf3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6353dd7eba4ec61640ba5281ce8b6bf3

SHA1
3c9643ff6f04ed266a90b058813bc0e0c54cb8e4

SHA256
b46ceead4a2d9525f66a91eb1b14e578e0d844d6885c9185262f3bf54c159020

SHA512
532b6f32535ba4449737c24b0501b3db4ed917e77829c66cbfa916217761ae8efc44365e9b949c05a5927aafec0146f52ed2294351672808e12f40e5395ba303

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c63f760c2bf57577954fcb20553d4bbd

SHA1
fd7196772f10d1255d09e9b6fc5adb3f03bf9840

SHA256
db2a99e9fdee10f52cc59eb7a9c7b66c6044c6a82dfd6851d77bd3916c1beab3

SHA512
8483ff289eee6264e4070ffe86e168dbe11210b7b9dcf88c0b687eccead04e4c5e9e6e66e9180af8c82564c9d55c108c66b8b22f5c6abcd2b7ec6e9dbdab29e5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6907d91ae11c942eb06ada1f2e41b5b5

SHA1
b0e4b2ada314cc1b6febb893c5d6000bc74d5d8c

SHA256
8bc19e3e45c56efce6e36c90d401ea78fd0ee2a08a5ce7fd89bd1c270b84a5bb

SHA512
5927a936c733d98f5fc0389792ed4db994abd07ebc639703e88a946c86a7d0537f19dfaf3d80870a9ec791ddd6f09e4ff926e4af2bfda0a6cd8535656ab14825

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
d9d18923a71eb1df41979ea37b2ee51b

SHA1
ca1d58bfce7084a5f5e96585857ec3b0275de875

SHA256
c9304c7379b246c21d2af2b92b194b958038be0b3a313b4ee0e416309bf609f0

SHA512
0d7cc3fd05106b4500a858cb06a835675f20b7368e4f91546be2550dd8c21ef754abc7e7e00127cb5381c0ee5b777dbe69174a28ccf3124bbe846ece5187e14b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2deca5e74884ed81fe0e59eeeeafe260

SHA1
981cb8118e95cd9add59b6386976f9640f38c541

SHA256
34d2266676dcb490bc4e2764db8c077979429636cb400795af0a3405e0f67a25

SHA512
70d6a07854c69877279f32905255b1eb0d5f88c2f98ef850dd0730834db43b5099e1e6d73010ddf8a9ea290124a5d41fa4a80deb4d79a04a7a595cd4da19a3e4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5b5ea6af42029a4d89547b7b1da89ffe

SHA1
fa6d880f24f4f45717b2b354d7fa9941ee34781b

SHA256
a9a45c626bee0f200c6187b5ec80e8ac63ca6bd80fa5cadc4b453174d505fa5b

SHA512
b1e42a44b71609138c62b2d0dd6566da3b71739fd69c5114eb4f876c0bcce156f9bf6977adabdc875b1bfdf169124a4560a2091a7c0603325c1e0a0e973defb2

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dd0d61b81e84b2b7a8cd3da1854b0b94

SHA1
377fb64155dd3ce9fada8f04a7ccc4f7a6450393

SHA256
657b58f9f1ef33ffe226b73bc02b20458bff1c08a61519c01e48d3db5c7a3d9f

SHA512
143939c5bff55d5c6acffb2d5f69d04ef4bd4df5387458fa5a3960eb122daf772c6d886a06d902c15b11063a5c18d44a38280c738fb119c59c2c3e89f95de186

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
8bf1feabfa5fa55bf42720e8d4d37fb0

SHA1
dee38b1865c49cc0fe3df39e497068fe39c40d75

SHA256
c4e327c06d40e84521b181a2f9656bcc6a5001ab34051913a713339b92383347

SHA512
ede132f352e5312d68dafdc62b83c9290daf762c93818a2958f9a9457f3fe2da31db1a0cccb639e726c33ff054cea27dc0d76aabc2fc84fa50bc9f80062dc7c6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
13ea47a96e21fcbea6de031029cb117d

SHA1
6e06e6e587622d37221d2f9015c438ff529114d2

SHA256
dbb59719776f6fb3085a9c35b29aedbc458afed8cda7c2d0e0b79ce1fafe0fb1

SHA512
4f215f69400f2b0fd2fccc228a8124059b0b280091d418a405439e14d4052c0a66fe5dec433a609bd609875293e80373fd6019261d99c522ef9272b79d3ca18f

Download Submit
memory/1092-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1092-411-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1400-388-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1400-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1536-148-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1536-68-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1776-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1776-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1776-78-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1776-72-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2260-391-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2260-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2264-90-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2264-93-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2264-157-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2264-84-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/2344-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2344-103-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2432-327-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2432-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2452-80-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2452-0-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/2452-6-0x0000000002260000-0x00000000022C6000-memory.dmp

Filesize
408KB

Download
memory/2452-1-0x0000000002260000-0x00000000022C6000-memory.dmp

Filesize
408KB

Download
memory/2588-48-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2588-42-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/2588-51-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/2588-142-0x0000000140000000-0x000000014024C000-memory.dmp

Filesize
2.3MB

Download
memory/3268-264-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3268-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3724-59-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3724-64-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3724-66-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3724-63-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3724-53-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3740-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3740-390-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3740-115-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4052-166-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4052-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4212-347-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4212-143-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4424-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4424-367-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4444-104-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4444-100-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/4444-95-0x0000000000570000-0x00000000005D6000-memory.dmp

Filesize
408KB

Download
memory/4444-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4456-149-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4456-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4544-158-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4544-389-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4728-27-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4728-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4904-128-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4904-30-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4904-31-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4904-37-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5020-167-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5020-408-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5076-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5076-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5076-22-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/5076-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download