dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 19:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
Size

1.7MB
MD5

6f065672eb5a2d2d4bcb15c1734510b5
SHA1

e5a37690fe1f9d957ed703672ebe4278716d73dd
SHA256

dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a
SHA512

29888ecb47b498558bb022c167597b053e7a6833228f8b49371210bc7ef82e58aa372d82c184baf36bf7ccb902dbb49fd93d872235f8498600e9bbbc7f39005b
SSDEEP

49152:GKxNupkTcKb4rSUfkVFj+gDUYmvFur31yAipQCtXxc0H:ffupkT5NUQhU7dG1yfpVBlH

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2912	alg.exe
3800	DiagnosticsHub.StandardCollector.Service.exe
3248	fxssvc.exe
4392	elevation_service.exe
2396	elevation_service.exe
1952	maintenanceservice.exe
1200	msdtc.exe
3556	OSE.EXE
3708	PerceptionSimulationService.exe
4124	perfhost.exe
4112	locator.exe
2800	SensorDataService.exe
3716	snmptrap.exe
3260	spectrum.exe
2008	ssh-agent.exe
4668	TieringEngineService.exe
3244	AgentService.exe
4104	vds.exe
4440	vssvc.exe
4428	wbengine.exe
4712	WmiApSrv.exe
2128	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\msiexec.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\locator.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\AgentService.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\vssvc.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\spectrum.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\System32\vds.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\wbengine.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1520461d99262766.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\System32\msdtc.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\javaws.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{1E8F5DDF-3FB3-4332-A4CC-B46FF6E6899A}\chrome_installer.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006946856f6f1edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000189ed96e6f1edb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000069ffdb6e6f1edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d45a46f6f1edb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c21fc7686f1edb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3264	javaws.exe
3264	javaws.exe
1124	jp2launcher.exe
1124	jp2launcher.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
Token: SeAuditPrivilege	3248	fxssvc.exe
Token: SeRestorePrivilege	4668	TieringEngineService.exe
Token: SeManageVolumePrivilege	4668	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3244	AgentService.exe
Token: SeBackupPrivilege	4440	vssvc.exe
Token: SeRestorePrivilege	4440	vssvc.exe
Token: SeAuditPrivilege	4440	vssvc.exe
Token: SeBackupPrivilege	4428	wbengine.exe
Token: SeRestorePrivilege	4428	wbengine.exe
Token: SeSecurityPrivilege	4428	wbengine.exe
Token: 33	2128	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2128	SearchIndexer.exe
Token: SeDebugPrivilege	1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
Token: SeDebugPrivilege	1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
Token: SeDebugPrivilege	1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
Token: SeDebugPrivilege	1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
Token: SeDebugPrivilege	1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
Token: SeDebugPrivilege	2912	alg.exe
Token: SeDebugPrivilege	2912	alg.exe
Token: SeDebugPrivilege	2912	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1124	jp2launcher.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 3264	1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe	85
PID 1448 wrote to memory of 3264	1448	dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe	85
PID 3264 wrote to memory of 1124	3264	javaws.exe	86
PID 3264 wrote to memory of 1124	3264	javaws.exe	86
PID 2128 wrote to memory of 3664	2128	SearchIndexer.exe	114
PID 2128 wrote to memory of 3664	2128	SearchIndexer.exe	114
PID 2128 wrote to memory of 1104	2128	SearchIndexer.exe	116
PID 2128 wrote to memory of 1104	2128	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe
"C:\Users\Admin\AppData\Local\Temp\dc60e441301444f9f7138ee3fe3e4dd47a3a890cb525824f0e49cea2e582f80a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1124

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:968

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2396

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1952

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1200

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4124

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4112

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3716

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3260

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3492

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4668

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3664
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

Filesize
1.7MB

MD5
b8e366fa5bff19ed2430967363342444

SHA1
ae53df85d17ae475f398afc8a619f12218cbc984

SHA256
4e3ce3ccd0f383abcee09bf6bd02f09ed2c265e393014357253f1b71673cf61f

SHA512
1f66902e3f21b6c485ed389bf66308faa79919d122df42975471c7e00be5747ce8c0c047359e472e0a9026fcd925033a084b58da3690a851accb6715c115167b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe

Filesize
25.4MB

MD5
34f0196d5cdcf037e5a7736870abba6d

SHA1
3cb8117b3da288600e191c6aa9c3f60755e309b6

SHA256
19fe74a43d02e8cad6484df98d70f71e41e208e21b93ab5210daaacad362e232

SHA512
c8a21449b624d574e7a4b955ede9b29275b8336cab3aebba83380384e6380d7b5700621cd963b3e327529215e5c888a67b16cf0ffdffc375babbd2a821af7932

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe

Filesize
1.6MB

MD5
f83b2b1973cf70ce13366053b705f687

SHA1
897996e5d05576227576de2f86f8fb4a8e3a14c8

SHA256
254037cc8f2847be9c8ded05d62ce94d4200d163d109016afeaf7b2b97701783

SHA512
cd946cb1b96976875eebafa3267e69d3d1e9d46971ab65e40d4e4410fe607160e2ab312b05b6ea9a77abe93fa59046a86667634158719b9f4ff6bbc213696164

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe

Filesize
1.6MB

MD5
c4e97ee3d8dfe3e7d3645cfa764f27d4

SHA1
396c4bbcca65e5a7a2c9fa9397201d0a7bfda9eb

SHA256
74eae6c080b7f5470b9c4e5078a8c61c39bdb9945f9bd7308b5a2351bf28708b

SHA512
2d6137094ae4989f568f616f7b23ef36a37716f457ba95f60c33ba3bc75cc1b4ffa0c9a33424049cbb9754a75cb08580c11e7cbf8d3037aeb89dff01a6060179

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe

Filesize
1.5MB

MD5
f006801a77af349ec366337cf5dddd3d

SHA1
221a52b8acb292497c40e5ec3d59d6cd575421b8

SHA256
1ab71cac1b1df7392014e4effe3608b37e638c6852cafce7b1bc859163cd02a3

SHA512
dc74c119adeb912cec68d9419a95e5c08c567d2e6b08b76a4006d5c890c4421516c6b8590a34ae2bf09a2d1d4a1392999e8e103fed393607e125a88dfa00e0ba

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe

Filesize
1.7MB

MD5
1e2ecf5ff9196657a218062eaea374fa

SHA1
ea189ec5731d95e0e6e37b387999d0252bf4a985

SHA256
ec88d4840a1ed8a4307f046b553c227a5c9cc2a15509e2023f6277dcd8d50586

SHA512
c4c3cbbf69b99eb6edbd7a034a4d7a4600d698cff7586489713dcd228ffdcf9ca788495989e61c099f41752e58c8a82dd625af918fc19ffe2efe2b91f141fdfe

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe

Filesize
1.5MB

MD5
a9ef48f1e269165a6dd86e82f670a89a

SHA1
0c43be77c6b8b578e7f04d1e113d3957dfa549cc

SHA256
7c43994b65c57b2d30da225cb656c83fed2a4cb3f27fd7d0c22151afd6696911

SHA512
ed0ae5ce8bca604860eb2e6889b4a99c7a27bcf4d08b144c42737f28883bda92ea36bb536d7d810d34031180eea51d431a6782c473831a2a0e4356c9bc4ffa67

Download Submit
C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe

Filesize
1.9MB

MD5
b91374a5ad508d074dfa692683ac310e

SHA1
f15e053857f9a4ec31f1142b34e1dc428bd92f3c

SHA256
2da68d55eb6f9d55886240675a79b623b079bd6b40b2ab9612921490d02a1959

SHA512
c4d6dcf91912a28dead4f0487a5af709ab03a48915d975cf1aeba05731ed86a5f5ea9ce690ff4cfdc97b1cd4fabfcaddf519ea794f89173024ac71ab36ca6dc0

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe

Filesize
1.7MB

MD5
f7e3443682b9755f35c55893d7c37897

SHA1
94b1bdf50723b5507da3aedfeff7d781f88d93da

SHA256
5854887ed92cf547ea48b3edbbce722e13e94b9029d95f8f354612e09a47d3a6

SHA512
342bfbadbb0493bca37c479f4468a62d5b22c931cb7b586773c905fa5cf4b6d96ab5249f6a1ffbbba870ef3676252ba8c54ffa0ac3a66f80648e17214845401f

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe

Filesize
1.6MB

MD5
84effa56241952b74166713a7da57046

SHA1
f5320de35cb29dfaa2aec02a822e29a0ee8177f1

SHA256
6b24ad165905b43dc780633a7aa8ab31a4c9f043aa71365f6dabfd2f39566461

SHA512
cb70479cbb345ab87476ffca5befb4d02fbb221e4cd98a07a43841fa48776b2a9d99821dd4693692e696ff011ca2f07349e25dc0649bc7e51c0ee947dc10c42b

Download Submit
C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe

Filesize
1.6MB

MD5
e453fe8450a8f4c58f35d705aa3ef020

SHA1
da9fc4171fa118bd4348098131cb9493fb089524

SHA256
6a74da5d5483490b04260c3170c6bba0cc696807db4ec457ecd6bc03fd39f9be

SHA512
9a2a484204d37eedcfae35924fdeeacbf54abf356771d6131d4a3e5d283c5a60661433c9fb0e826a1f7b7d68d9c16adfe95f3f24a9df87712bb9671157cacc0d

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4addced59bf8ccd06d379fabd3fc6ee0

SHA1
fcc93538cabfcb513e5d308439c03e9f2ef27ba0

SHA256
43b118215e1a0a8a82e196e1d50401d6360895f52ac2891b790282fa70b61498

SHA512
4ae519c3a865c61d58d8961aa166db69e9ccdf1b1f8dfefa53d4756890c664b8d4e3a7373d306410805b98a5ca87968a25f823efdeacabe8799886a743af53a9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
0ac08592a46e4888512cf122c3a7ebaa

SHA1
2126bc55fcd0845ab466b5b3d76ea4a83b420b02

SHA256
54b75fd79a4ab240c76314898a8999e956ddbdaabcfca64a303d35b24cc85a4f

SHA512
9ce59a4d5e0b24e16dcc6b001f14e7a5e40d3b5e3b763edd9276ae5e2fc7f2bc73088520d09ec1c68ac149d8a74c0d17e6e24ddade0c963f1911a620fc36c811

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
55d309302ed1635355b2c8352e189e14

SHA1
c318c43d860a6f9d32d3a1bc9d0eb9a406ea6a52

SHA256
6f0698959d832022dde7b73ec8c25d0cbe084b6a0b4119f0b508bcf79124168b

SHA512
14d3dfbd7b04a28c1919f9aafb500373eef2bc9cc5a1686425b144ac0045769d3c8ea35952735ee2d9b86cfe1469906d42f22efcd561fc3dc3d9edb36c6ac78e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
20f7a3bb40c073988fcbee2025dcc075

SHA1
d50f329133756f4677af1e2a1e056664aa138686

SHA256
597f7463011bd38e8c92c860ce037db66628f5145865ed99a85dee418f5b59ba

SHA512
d9071aafa6dc90fea8775e7f4c71f3fc0f9811de2fecc39b8429c0dae15f57cd54239fdd71163355d35997ef82f48b8152a96edddf7a3c88df2e7952ffeac6cc

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe

Filesize
1.4MB

MD5
64c659a7a3bb4235f53139d591a1616d

SHA1
f75f8a9ec752381c17bcd59be88104b566980a0e

SHA256
b278852d60c47c9e3200f6b25157b3c64537e4c541a04daace996c808981fe16

SHA512
3a739431bd8547ab17c6029c16bca72e7484dbbfd71167da226eb50cf97594da2f03afcb5c06d251dba2b56dd88d3dbbaa00d8c91f6df1ca2e1e41f492870f05

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe

Filesize
1.9MB

MD5
f4fa81eee8d765ebc80d91d6e00b61cc

SHA1
6e644cadf4f4a11a69b539e5e391f247cd7d1096

SHA256
a9d6821962cda22b786ea6cbf17b8ee5c929a6f7bb0f9ae24694a2fadba2a9fc

SHA512
1cd7a07d2515c2bdfc7f676b1dc3c916fda391811d007c38ef594b2725c3c536af8ec704a4304193d2459099cd1ec81222bc9077918fb43675f79b449370498d

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe

Filesize
1.4MB

MD5
9ac3557e6c384991b2e7cf152a3b0adb

SHA1
5c5f8df6c03dfbb1eb882b14793705d8ad91ccde

SHA256
ce18290dfb2fe60ceeef99348f0b62ff86f68b778f7d117e77f9677155d794f6

SHA512
78ebf94c4a06a1e5b838574eb95e66813e20f7b44a34a61b909a0393e599c56dddfcbd8740e27bf58ed12178023c39757e0afd1d1c5cdfeff1364c789ce91a7b

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe

Filesize
1.4MB

MD5
d06174266814a0fa09fdf895642955cf

SHA1
a516a56c16cd043eef9e9ebf2a207af2e6a17a70

SHA256
2a5c80a937c852d8757d6222a3d3413b15316798ac71d7cb82cc9a0f2bd90582

SHA512
e677d61f397201d6dd9d18091a6133878936757d9dab877f4b1d7015f32095420d3117a386cf3724edd9ffb580b639b8a60c5875032897f816ac69f8cf2fd508

Download Submit
C:\Program Files\Java\jre-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
6aedcbbe9d056a5ea804b0bddf206623

SHA1
2b84064a805a531475e82604f6a154a87273990f

SHA256
8b860142ab430cb876ce6b1b4743b86b6bf48439bf1ae8e08e5b5ea5ee81152d

SHA512
9095ad190aa18b4a0c696968358b5d8120a901231943fba5a1bb4ee033e249baa77fa0fa367b5c10833e3c4921eab2dd984aef7e068a051d856c8f9f3838e8ab

Download Submit
C:\Program Files\Java\jre-1.8\bin\javacpl.exe

Filesize
1.5MB

MD5
cd55d53a4c5aa175604148898475fb44

SHA1
a1532a9fd061cbc707b684c6ccc0e834d0ce4cc6

SHA256
c55e7b120d305f5f4763de99a226f61973740c117f043b989cbf2e146574526d

SHA512
8cf89eee3ce5f5aa118c2cde986ecbc17217b42988c99bd35527a44fa315c05cddded63849b4de6a0b2446069d747dcdf959ee71ddfab11e638f6e29884aa9cf

Download Submit
C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe

Filesize
1.6MB

MD5
cd06a7033a32b85742957ac8a6cdbb3e

SHA1
414313c6f691ded390f5966be08c1e774ef4e7f2

SHA256
7b9b096091ed8364a74b214213daaaa6408586be98c7f0eb9f2cb3eb72fd1789

SHA512
9876f14218b6c7eddeda51c2403511e4be65b624666e87168ed1dbbabdefd148b347b92e2ab70c0f57a3a1c041a7dad5ddbf0bfbc0e8ceff780fe1eae8169753

Download Submit
C:\Program Files\Java\jre-1.8\bin\keytool.exe

Filesize
1.4MB

MD5
349a412570b2618252043efb36f81f61

SHA1
4c49d142ee722f868bd376b01ddd3d031ec26123

SHA256
a1bb4778e7319764b83b72cb014d09c70c9067bca9f3a3b4adb1668d14374419

SHA512
22aeb01a17fc5602373679549ce62331d76fa118a7f15ad331aa42df7128855e8af6bc39b5394f7ab3f69f506f71c2c5938513c51a5a4559a3a7a7035d396346

Download Submit
C:\Program Files\Java\jre-1.8\bin\pack200.exe

Filesize
1.4MB

MD5
b6dcd478089ca67098c60964b581dbfb

SHA1
d442e6f987853b289effb77a9facbe9387ffe228

SHA256
ed38f7a255b967dbb66556c7b11c5860e0d7ee2010087f0ce1c0d78680dbc87f

SHA512
71d2a7848af969171d9ed7ee3ce7ab8fd55a2cbfea407d947ab1cfb2e7f8d142ec857503ff5ec1f1681ff8f5740e358c9e483836a45f9e83a94a19d75ebf2a5b

Download Submit
C:\Program Files\Java\jre-1.8\bin\ssvagent.exe

Filesize
1.5MB

MD5
139c610a253bdfd685413dadff475a36

SHA1
6fef898516f60cb62914482d211c34d33640fcb3

SHA256
1cce15b79e3b06a19b7819889412c245306843217d1daf81df26fefc5b9a6b03

SHA512
7f64d745afb177c358245f4ff252e04397089b1d5e928d22a1b57a52116a71df4d7af541beae7ca5f9a9dd417ece511749bc0ab69be8dc638e0051fd755daeb6

Download Submit
C:\Program Files\Mozilla Firefox\default-browser-agent.exe

Filesize
1.5MB

MD5
f6e648426c2e3566c61c842b0ed16b22

SHA1
79e9de724beb78e4f662088ae982a6e455bf8c88

SHA256
582db8b29273f7778063c8115d8a66cac9cd266604e3ed9f17811d51c8138077

SHA512
cb9c9e2701f070080eb9326cf102cd10066e7741e0d177a3ab98eff716a75be62e11e035a83b866ba1299207bfb1484b6347bc5bb271802faa6330dd87e6eb7f

Download Submit
C:\Program Files\Mozilla Firefox\maintenanceservice.exe

Filesize
1.6MB

MD5
dc5be841b9d95db471bb2fdcc8305039

SHA1
055c0edd40315c9c9d14aff666fda1f6670916e3

SHA256
daf1f0c921f0b2a228da85483e1169a80223152d7583d17b66933015572121ec

SHA512
a62aac631f23b123bdb6f238fadeff00a8555a5bf2116f997cbebe56db6f7924c87f16990bed9163455daeef8c5938b667c0740c866f01491101f6d557c32541

Download Submit
C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

Filesize
1.3MB

MD5
6fb91eb7ce36843a1aaa59b4b90d07ae

SHA1
66acc2e7868439e070bb5bf9612c09814ea0c380

SHA256
8cf6c9d0289c51e75ea2dedf68459729da3163a594bcca9c8b38f6c4767fc842

SHA512
0b1d449bd3b1f6882c4b98cda2addb9d53e7c34dfaa98f60070f38c40b1f5d123be5e9c4dcea3c2c58f6d4eb0b73486440d3df2333f3243b954c0c3131672f23

Download Submit
C:\Program Files\Mozilla Firefox\updater.exe

Filesize
1.8MB

MD5
6b9dc02105058a63970372a0269e0cc7

SHA1
f60531b0327f63e5bd80d08684b4e8e55e35e86b

SHA256
75d5f0f395c9b146ba90eb4c39da6c9fbfbf21618562de67a114d368fd6a873a

SHA512
f0b718bda0a29ea8e4366be157cee458c013e7d9eb6557e72aa22c7d73ee5e7bd357f985d68397e38d16722742c24f0c6805bb251543d6d2a9fe5b9f452c5ff2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
4ec9b4d5d34e83763df8f415da0fea1d

SHA1
3e3e6f48a0a9405bebb01372044bc9dc96679891

SHA256
b3799b573ad08c16d7893565ef89f3af44acead866c0d006f5036e3ecaf67744

SHA512
1ce7ff00d1888747e7ba446161c3462836aaaa65652bac899f72d0a514200323e7dba16e8c06011b761832568ed1a48b60f11870871741c30f7f7a0b60099c5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
896B

MD5
501c1cb77122dd962aaf1c6517effa71

SHA1
b83d71837cb9e8087c5f97761a6960cc6f2b4bf9

SHA256
2017f3dff17bff31b136cb35771769e26a98ac71e247ac08856d9b0b5a5f2c4a

SHA512
f35de5400b32564370e613a45ab8db06be3c95d3e8982e262947944f413e541471d6eca0eb79e11da309ebfce3fdae90898deff0804ee129f6d65cc35210d122

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
00e5f72258e6c602e6841bbf4c30b136

SHA1
52dbdf9eada5d7b0e015fd3523cca5cb915c23c2

SHA256
905a454fcb15e9f2a469a9a7e6e42b8c6425d20b33a59be5b84818daae964807

SHA512
50f0f286680fd33c29956455ca7e2d293402f369bd2e9079e45930853f1feb6e86208e1c8762d26dfc6f7e742044e912a4efded9a55ddfddaa454297cedc60c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
165KB

MD5
0d0edb9563195312261c9f110ba9eb96

SHA1
d627c05e199540011f7846129f668c594db1cfdc

SHA256
d3052f0b9b37b26a56aa47adc646b7e570e7847921f642e909322c286cb4d2c6

SHA512
6eb6161634ea28ebc923d8879a9aa45bbdf95978d6c9471a7d2e11d52931b46cd4556238f722499836c84b0d7a2ad7639e392bf2941292f5287d0713a6def551

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
6c49ace73d03acc8b4c7052bbd5947b5

SHA1
9de05a8049936c06fd4dc83a645453398e4611a3

SHA256
ae516fa0aba84bb478c2eca618cbf41a6b3bd9c5033b28fb64e8baf6ef58c357

SHA512
6ef5f6af2ed82db9526a0ba5acf1d4800eefc35da447990bc2548a6b956e8d382b036cb623c29604df2fe6cc41e330a0d7a6344af023bc9774432940761afb13

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
41c366c97308da72e1fc8f9a59b76de4

SHA1
7143d9fd73e8e5152ba4a3ebd0a1836677a1715f

SHA256
b479dae67b29c520abd4bb858c7c3317aa34b41b1ba2fa85a49e13e4f6c53e1b

SHA512
067a66d15e51acd0c551a526d213a118ad44b4302f4399fb92f76b15bb642993490d405cce3eb4e897499757a502526bcb83839a0e83abdb3c47faa8ac6a401e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
5e1ec7c946a7015dd4403a7bd6a99854

SHA1
14ccc735e07048cb8a2bd2589f3c830f35f05a07

SHA256
3fe6ee251d89a695743f640c356efa579864a73d1b6ef8a73b5aecf51608e0ae

SHA512
15924d7a30829c4fab281f07924440c003d2d6f67c15aa45adfd3206190f97c44e19d9c6bdbdb98022c8f2904937c656d3e8fa01bcf008050f84fa809cd34478

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
554fbb3ccf5d764e863f7836dc08d93a

SHA1
d0d3ff3c2a748d30d7c411bf81922d00681ca4db

SHA256
2fc777145c81239dc62c2d4c3a577bb8a65739961c393272a7b09b4404e2cfef

SHA512
638132fa352bf4f56ba6819f995e19aec0462d44f0ba5dd6cf0c83107179e998a0db583838a5708e530d39ab01d1c882bb1cb67a2200eca336d0b5996f50e06f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
06aafb58e0632230217432a44b120260

SHA1
36141b5ec25ea46c2c4ccc89cc1d4746bbf9a043

SHA256
0ea70989dbed6d8ff782cdca85aaabdd9ee13746ff4e30c43f564195247caa55

SHA512
740b24e12f158d459063bad30b909030096b76b258ad73bae3442ef83d04d8e29ba474d9d9e6465c3d264ace6a393246e77a659b917b498cc4289ffc45edd599

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
98a03149861279231da61893ae66a1dc

SHA1
5966042c71117293a9806f5c398953eb567bed2a

SHA256
2bb05aa4ccd5e59144ff84e662353e02d7d6a2a0c5bb17f253e52ba8de9742a4

SHA512
82e9a3e8244f86043d6b86f31a5922aac60e48cc71871e9a5d9cf31c56210d5fb904c4ce488298ad3795c2230ce3e6bf07f32bba2810971e54173435ce80572c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
6bc74c3f0f3ba9bbe829812931aa0ead

SHA1
d6651ec306103398bc3a574e23eeb47d396e2d2d

SHA256
c93046888105846a3437bc7c69e2211cc0ddfdeb42619510cfc010c7a71d04c8

SHA512
29cd9914649d23af4bc171c58cc4e639d21105e19d204fe530c555f6ecf817ba8ab3883c6367562bbaa5ec175b96aa3d6cb5bd7edb2a4bf3dd22d2ccf0402bf6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7c39de15890fc224b7c0963f9ca3a5af

SHA1
6f863d932d17e02779f9d647334538644f684edf

SHA256
8c4f91c3edd495f0ad93b29f3bcb4bf0f2f8d54682db788d6b026e35ea53cc9f

SHA512
2480fc9937a0e134cb5e5c87e991ad21d6d86cfd88677de99697223f9bbf381584e7b9bada577ba0341c6e1d4703f3935854c1ffef34e638366612213b580e3b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b462c7268428ebe17121a18d8d6abc4f

SHA1
573f96714312f55fb7f944f73bdb026c2271009c

SHA256
b7dfe7f633268fbface2b967f079bed4eaa27da4cdc8ca06ac8d2866dd08bdfa

SHA512
ce6157578b97c814a84f0af34648d67b9e0afdcc7e139c9fc5e3f2aab14368249b0ad771a1e5712623a645bec22f0251ba1cda65d7a5c2035ca980769b86815b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
15d1c810e8aabbed7df5b5db55da2e39

SHA1
147a9f5133fed24d57de6421b5a00af9cf32c90c

SHA256
19f05b8cba667a079f53cab21f5b318c92a5c7bfd1d3bd484012c1f58acea075

SHA512
1de7d8e808ba6f9b46eb885e95744f9fbd1973690c21fe4a0a08c56b69e586cd1a4dd143f473cd246cac7c861f9fa977d93bc298ffa3a366a2f407ac7f9e0d80

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
6927407fd1aec883b830d3b53160ac88

SHA1
167e67d839eb2ed981e60ac557063e0d630a1977

SHA256
00eed0ed6371eea6c942c9dbb6687cb270688775893bdf611f6667999a184892

SHA512
1408c1ec9525858d31f2d8e5916e66e3ddf66612a0347cbf325fc06063e51aaa91b395747259aa29a2046a1dfa95d48ff77b498c83004c4bda270777a99c8413

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5ca00f7ca2de3ff64e6c36bdce9a17f0

SHA1
b2eab985a79e4c2fc45c025d185da0f3bae031c3

SHA256
3bd67085ec8eef5cf1d8961ffb6aba97e1e77ba750631c0a2f0e2302277d6473

SHA512
3c9522fbfde116bfe7ac0678ed0764854be438940afd845f2d55460e03ad27e865fc67c003f6582c8a9a37b4c065f385fbc1a1c236752291b9eb8aa5ea401960

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
a8fb483f88062e57c5f46f40e89ca9e5

SHA1
b371f0379cf50afec8110cfc082906f39e3bd7ec

SHA256
97269d5627496a56f2e48900c135526ccf0d76467c5d365ac49c5e6afc7312b6

SHA512
a05cf0851e0628952fc6a8e5416d3520bb181fb9449fb763df3b380aa40a7305478c67b64515c421e019fbeb08cfcebc9cd0e10a2828a693029ad5a65ece9afa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
9f8013e5312789e16e5751eaf447d3ab

SHA1
271112ea0fd3a92785d4a3fd45ea2f5664af8c49

SHA256
d46e0ee9a56a0ee83de12013eb04e853d1c77b054981457577138a94ffe4d683

SHA512
4592932ccc576ed1a82beae505f44c5aed8d170a8d26f2ad8d656e9e1311e9dfe892d8287c0f85d9d7ae845a4bff80c18720bcbd909ec4e55864f9f79752c4c0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
fd5f33ee53bb2e5deacf065c586aa548

SHA1
0c1d0a62a4c1192d505f068a7f4d6396c0b2e9f8

SHA256
8ca815c20d669f40064af6824986180514e3af6a751e703773f32321c44677c5

SHA512
6ac9e710663811e1f4213f24d3887edf6427fd10c1c76670461429939c82ee858820e25f0bab768450647ba6a4f8ff81ba3f4eefdb82b60652cb6e7ac307294c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
eabd8aeb45ab2ecd7b1b3b6c378f3d94

SHA1
c91e5ba37f283820cb18d8da09e893bd361a553a

SHA256
fde370c2b98c21fd2ca3219cceb4f0dc45f23c85c93a48912a208117d9f709e9

SHA512
3a2e16e2e8765cab8d33e6abe6b2834329b9e4f6ee2c7d751d238c5e032780e3d3d7911fc76a9ae65d4d13bba7d1d77227a2799ee48121aef0ffe62a730adbd9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
3e13eefeb5b1cf9c676c3fcd2656364e

SHA1
4dd2bf4a358482bc5511840d9827cdb51a8f6add

SHA256
9f0034e8f21fdd847bb8370abb1b23b3c292e4fe25d38e361dd5cd886e8690cc

SHA512
1d44b9e7260f012799d8b0235dc8b5e196515ed94f49473a13510b27791a835c48d41ef5ba9423cd2e17a40561ce5752dad2533072b5f38e4e3655428d443d58

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
18361c04ae9c40fe317cbd8c18b67fff

SHA1
334d3c259a29b326660ea3c9b6134fd07c590ad6

SHA256
ac72533092384dc14a58bd89ad07f58e785f127b4a861fcbe630178005e7cc94

SHA512
d996d314838c973a8ac5d636b09fafa71e10bbd903b05a155cc888f39aec1ceb5edda9ef54018dc56f0b15eff56667fae13d68311512f76a0ac3c5d996e02ad0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
afee47540d1952cc597a77de709d866e

SHA1
78e095924bd446259eb2dda541f9cffb0a70d568

SHA256
77bd30371e108bb7b6254dba7de298865baa280529167b2ba286b9aa0ca21fd5

SHA512
7243098138aa8827c43c3fb7a774e644b977f183ac9fb6dd15427217f6bfc21a105689d525264ef3e693fb10ede40bded5a45bd9d5a57dd4b9121137c11e74d3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
ef52f3b5e6a036d39a151a34062c73bb

SHA1
203255d46e46e2b2cfae6b2d8346ac45efef2ff0

SHA256
b7c060ca929ed33d956fe3a9a48c468224b2522ce03e28a3348cbe111aebcec2

SHA512
8ced170bb629c06d7e34a566e65c577fd756aae69f7ba3057f7d129f11d3192209ada12fc2da6cdf80f28d50f5bc86c9a98712bdc0a9aee2b86bbe7ca5282240

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
532a307886872cbbc1a2f91c4950b85c

SHA1
78a5fa357715a062c91c8791c3cb29bff1cca250

SHA256
3971bc414cf52072604e4a454a87adb6acbea853bbcc33977d19fd8f5faecf64

SHA512
bbaf5352936a6e868ddd8248fd68b334b08412de5c5b3c60ede75f3d9f0edfa7ae4ac6b86371abf87af4c8c200714d19de5fa943131b0c8592a9934c34f9ecf6

Download Submit
memory/1124-139-0x0000026CF5690000-0x0000026CF5691000-memory.dmp

Filesize
4KB

Download
memory/1200-255-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1200-514-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1200-260-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1448-8-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/1448-341-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1448-1-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/1448-6-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/1448-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/1952-133-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1952-136-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1952-128-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1952-130-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1952-122-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2008-496-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2008-705-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/2128-637-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2128-714-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2396-114-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2396-106-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2396-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2396-493-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2800-428-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-628-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2800-710-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2912-22-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2912-392-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2912-13-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/2912-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3244-515-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3244-532-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3248-80-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3248-74-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3248-86-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3248-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3248-102-0x0000000000DC0000-0x0000000000E20000-memory.dmp

Filesize
384KB

Download
memory/3260-483-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3260-702-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3556-355-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3556-533-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3708-564-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3708-393-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3716-690-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3716-458-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3800-427-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3800-50-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3800-45-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3800-39-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4104-534-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4104-707-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4112-416-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4112-620-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4124-609-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4124-405-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4392-482-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4392-91-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4392-99-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4392-97-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4428-610-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4428-712-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4440-565-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4440-711-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4668-706-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4668-510-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4712-625-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4712-713-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download