gcleaner | 76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
27s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
Size

1.6MB
MD5

843976c4b88422100383f5281667f621
SHA1

6f95b31e7a4129852fd0cd103777ceda2acceb3b
SHA256

1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2
SHA512

32060b358614d64b13efbf85098acdd31bad52bfe5dca101fab32bec5c25839821b164688d3fae9d94903e46bc7ca87e055d9aa8f6355cd5e72a8e666e196e1d
SSDEEP

24576:UQUNs90gf8TTBPR2Ok/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:l0zgXLNiXicJFFRGNzj3

Score

10^/10

gcleaner onlylogger discovery loader spyware stealer

Malware Config

Extracted

Family

gcleaner

ad-storage.biz

ad-postback.biz

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger

OnlyLogger payload 1 IoCs

resource	yara_rule
behavioral10/memory/2360-81-0x0000000000400000-0x0000000000662000-memory.dmp	family_onlylogger

Executes dropped EXE 22 IoCs

pid	Process
4748	alg.exe
4624	DiagnosticsHub.StandardCollector.Service.exe
3628	fxssvc.exe
1216	elevation_service.exe
780	elevation_service.exe
5040	maintenanceservice.exe
3560	msdtc.exe
3844	OSE.EXE
4660	PerceptionSimulationService.exe
1284	perfhost.exe
4124	locator.exe
2092	SensorDataService.exe
2380	snmptrap.exe
2844	spectrum.exe
3756	ssh-agent.exe
3352	TieringEngineService.exe
4436	AgentService.exe
4480	vds.exe
3624	vssvc.exe
1768	wbengine.exe
2708	WmiApSrv.exe
3740	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\System32\vds.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\System32\alg.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c8d5365e674cc675.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\locator.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\java.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_75187\javaw.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 12 IoCs

pid	pid_target	Process	procid_target
944	2360	WerFault.exe	81
3820	2360	WerFault.exe	81
4500	2360	WerFault.exe	81
456	2360	WerFault.exe	81
944	2360	WerFault.exe	81
2164	2360	WerFault.exe	81
3880	2360	WerFault.exe	81
5056	2360	WerFault.exe	81
5040	2360	WerFault.exe	81
4904	2360	WerFault.exe	81
800	2360	WerFault.exe	81
2384	2360	WerFault.exe	81

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f2f00ae6055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000abdad5a76055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f565c0a76055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b66a55ac6055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000013454eac6055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005acb95ac6055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000163d43ab6055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db7ce1aa6055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009df512a96055db01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
Token: SeAuditPrivilege	3628	fxssvc.exe
Token: SeRestorePrivilege	3352	TieringEngineService.exe
Token: SeManageVolumePrivilege	3352	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4436	AgentService.exe
Token: SeBackupPrivilege	3624	vssvc.exe
Token: SeRestorePrivilege	3624	vssvc.exe
Token: SeAuditPrivilege	3624	vssvc.exe
Token: SeBackupPrivilege	1768	wbengine.exe
Token: SeRestorePrivilege	1768	wbengine.exe
Token: SeSecurityPrivilege	1768	wbengine.exe
Token: 33	3740	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3740	SearchIndexer.exe
Token: SeDebugPrivilege	2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
Token: SeDebugPrivilege	2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
Token: SeDebugPrivilege	2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
Token: SeDebugPrivilege	2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
Token: SeDebugPrivilege	2360	1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 2784	3740	SearchIndexer.exe	127
PID 3740 wrote to memory of 2784	3740	SearchIndexer.exe	127
PID 3740 wrote to memory of 864	3740	SearchIndexer.exe	128
PID 3740 wrote to memory of 864	3740	SearchIndexer.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe
"C:\Users\Admin\AppData\Local\Temp\1ab92c39e8b0350609fabbbd29b9a5ab8e6e3f42182b672eef049b96a3480dc2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2360
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 800
  2⤵
  - Program crash
  PID:944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 840
  2⤵
  - Program crash
  PID:3820
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1032
  2⤵
  - Program crash
  PID:5056
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1076
  2⤵
  - Program crash
  PID:4500
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1084
  2⤵
  - Program crash
  PID:456
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1240
  2⤵
  - Program crash
  PID:2164
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1248
  2⤵
  - Program crash
  PID:944
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1584
  2⤵
  - Program crash
  PID:3880
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1720
  2⤵
  - Program crash
  PID:5040
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1704
  2⤵
  - Program crash
  PID:4904
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1900
  2⤵
  - Program crash
  PID:800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 1404
  2⤵
  - Program crash
  PID:2384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2080

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:780

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2360 -ip 2360
1⤵
PID:796

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3844

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2360 -ip 2360
1⤵
PID:3552

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2360 -ip 2360
1⤵
PID:4136

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2380

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2360 -ip 2360
1⤵
PID:1688

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2360 -ip 2360
1⤵
PID:4912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2360 -ip 2360
1⤵
PID:1724

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2360 -ip 2360
1⤵
PID:3588

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2784
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2360 -ip 2360
1⤵
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2360 -ip 2360
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2360 -ip 2360
1⤵
PID:1428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2360 -ip 2360
1⤵
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2360 -ip 2360
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
72ea7ede6d2671083cbae46451fb935a

SHA1
b8bd257e92f66af1fe8a387592ebdf382706f2af

SHA256
5973767552c0dfdf85550d56cb272793b5dc5d5ac542c5f0020bc11fe235a8ec

SHA512
2cc17fbec12d418da6c6e529c673d65baa1ae477ed4f1ee60f85872efd0298894a80a87a64ccee356b116132c481d88b9e0454e422179c494e34a0091502ff3c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
89ac4733991eb80cb995705fdc98ce67

SHA1
31da9ccb177a87bc2f3223c9759bf9adb18a8536

SHA256
724724dd8f7915b5c931db36ed9ee67f9adf30e89192c3328445f6a428caa1f9

SHA512
a8af13a3b97aa0b12e91d8fd2d3774a00a3517fc2d31fa82bf0cedcc6f5d62f76bd184e34af0a2664080d8bd4a2823e80452aaf9746438b1254884e0336c9618

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
3ae5a55f5083346dc468ee038ff4e7e6

SHA1
763ca711f7aceabb3117f049779e802f50523525

SHA256
0ba2ff5b8d5b332358f1a094fd5251c50b6f09dd66dfffbe93032d17f8300c9a

SHA512
50803f782e8578f584a1ae93d90aef7ee2cf4317eaa6965c00532543eee3aa3db2d39f6c5180914527c4c25675c7cacf10eadcb925b3a2b7331318ee2f6aa523

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
846e6825d89206dc810ffd88556ae5b5

SHA1
0e3b368f45f3b36c41f003d71b052f59ac6d657e

SHA256
386b4028494ce555c412062939b6f0cc9a4add7434c265de6c3ccde63e4d13af

SHA512
30d72cd03737c26bbcfd49d55d3e4185a16ee5db9e666ea8caf7dd8494f347a328cacc590e498823b9cf30b9f1edbf4fd46db1de0e8ba657070ec9dc080421cb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
db37ea2201b86ef598b836fac555615d

SHA1
64f6a7fd67dd13d2de27b9531fbe3861671bbc26

SHA256
2f28ec35100b5f1b01e4295337b1dea0a0757b1dd745ee4ae57b75bd7228cf5a

SHA512
b980000f4d5a510cf471b9ac53998a150107100b95979b15c3027d1b7cd414ae3a3d8c11650c1ab5404010e71a6ca8afdd99667e1c2df16b7e39c770f6d4289f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
352aa16684bd53b160111afc4d5a9bf6

SHA1
70bc6e04d1a142bed6c2ae68bd534a2737094eb0

SHA256
f1a38f67450eb92e72a3d1b790326e53174127d0404c49987271b5ac6907d742

SHA512
631b452a0798f55a34870740a96c4f995614b9e8faba2578f80da3f2c98134c1754b4e87602106633cc5d4a66d03ca92523848fccba3eeab5224712300536250

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
b6647f6dc4eff4555410d77c5c2daffe

SHA1
c97630d416ef03e9a026945819760180e411e8e4

SHA256
22cfa56c2087c0a2757eeafc4b135a99f720eba65995afc6d664c5af84dd8e11

SHA512
6b2a53b94a29cdc0e42b1602fa9ec2bfaaa5be41e701fcdd98a0c9ce60216ebabe792f94859560d55eb8267149d667786968962c7edb77143492c00e9cf09aa7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
75da47eb48fa061ad2db26878c3cf943

SHA1
bb1a99e1102f79e462588482886866ac27cffb2e

SHA256
d539d675be2cd75c52ffba780a78ac234f95b87fd498818e1f980839e21961a5

SHA512
399321e1ad502b1e550746f35ec51361e392b6f7021d1b2eb8a2f38e73900c2143314f2013cc893aa94673b4cba26bfcc541576312a0ee966495f80e8fd14abf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
e6742f6e6476788edf0880f60994902b

SHA1
24962981decb724ba2346dc5440615fc42ffad98

SHA256
6e116db1993d6fd4509f7bade4b67f93fb069d483f6f65d30e912f6f64642962

SHA512
8a38973a3a420fc0e71691101de4d4cf5d495f1e8afeb12cfd6e730e1f5bbd7f65ae41836992dfc2158f7a21acace795beea9eaa460f35c9ac6d2ffcf827c827

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6f9aa750b8abf2e6539dece7933d3b52

SHA1
fe37fb8553616d124c0e63bc24e09d5f5508ad3d

SHA256
548092f892a079435f3319c6889d509b11a3aacafb18ffc571b451e89e0bd25b

SHA512
7d07885c2959d365c82354af029545a1e06393e9d21ffca767a894d3366c75ccd6f5f69301e20778ee5692bd8a141915797212c518c61e662c4ed784c4ad4818

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a519a3ba7e724df62b5d240cd45e78a9

SHA1
c91b555d89d791d9f105ff092f36d3f08658f8d5

SHA256
8c5cce40906f2d8f364735250348cb90b2797c81b90a9a64bab88f10e5355386

SHA512
ee394f0119901301164742295023349a0f0374709a9d9782180b81d21fbf7c5af1d26a0b68f9546d5f6d9cb4247e7285493fb69b3dce13909891ae78477062b3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
73cc8f7831aca1957adc4ae2f4bac0d3

SHA1
bd09339236b1fa33de7085bcf3cb438af30f7a2e

SHA256
d87e4207f37eb348bfd438e700f047e83d0839d50f650df6369500b1e1075036

SHA512
bc0e6ce91d1d7a7488b3ce93e4d9a5000df5518a560211b76188c93142910a04315ab0a629c9c4746143354c17b9c04ddea9c636f15f2a8949a9408ff58a9975

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
a209aa3d180ab57b1d012feaddf101dd

SHA1
15125cdb0138dad37a170cc4728746368c8f283a

SHA256
5aa7a6f889fdb01b099f2af01cc76ed2fc9d8922200bf3f6e02dc46d28f6f5ec

SHA512
98de47b0f416887d4d504d150bbd13e9a30065ca64353ad0c2429297136c6281a31abc7669eabbd93f853021e40d8bf5d910f8cafc27561007cff8d058730450

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c0d7ae90b86f4bb6811ea1ec89cbbb25

SHA1
baa6058b70da95cce67535f34da33257b90927c6

SHA256
d2d29c157c324977cbc2149e216d6b30a415f7a9fd523bb0d3298532b6942b3e

SHA512
5a43f23f9941b06605e4628eef7ea1ec58a804e1ac17c1a19e6f004780e41fccc11acfe90025fb023ba0d959e31aca7e25adb8f5768326b0a28624166c8e443c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
818e81ec85be3c41c9cd8548ab37f8b5

SHA1
790fc5a9fd58334217ef8858c83f5a591d27aba3

SHA256
d409bdba4c2e7c6b6ae60d08d52fb3a3163ed2f69d806f9199484b18ed945b47

SHA512
22bf8acfc6446373019ed2f3b1d2fac1551c40619274412a7120b8144a81f70f4168331d89b65dbccfac2f575ebd40da9de7724bea0e42af9bf63cbbbb8162bf

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
0e8f47d7ca192d5a92c2a01225258731

SHA1
9069dd9e8fd49a78bee1bcfbc5cd99f419f2b672

SHA256
da09a65e3fa9b8c7015269362e94891b0e3d3c183b881cf2fcd0a6f4bc3b9cb3

SHA512
7d2a125c7615e71b9c912bf8c1b8d560dcab3ee1b9812abb35e8c62757fdec4d9d306c121bd4ed3f0d878003b6b742c1d26c433394396c7beceb3cdf6a78ee71

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a26c571fde076375c9bdbf823f6c636d

SHA1
be7af179affe03022bd4adbb9ba47656a5040dfe

SHA256
d2041a55ff4bf9699f35ca42fd22e89adfa55cd1d1786d721fbadd6ffffc9945

SHA512
5858c2879d5893f5ef6cb528218bfca1cdd3a50b863aa48cc0edd4ef9dae5c745c6cbf1e5d772c9a473e4874510b89f44959ad2ab121b33dbf4f606681503123

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
365139c14b556a8d6c7eb83337010404

SHA1
972459dc2902ddd98761837b2f9d304586dade10

SHA256
c9bd0c40006fee91bbb3ded50a9f63943e2c8d9d4ab68bd24fe9a80a8fea6dfe

SHA512
e6a9444562c550ab8a65b316ab31c9fd0987c87c1012bf87fbc4069f5952073ef1c9236b7c7f76b341cb9bcdc377f8c9bcfd0af8dd8ef66bfeb113a7c64012d3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
59de456a5ceef45d42c3c42314d8867e

SHA1
fac98f0c849fedb440b2b82b1f6570de9cca9c81

SHA256
0b1872eb1b675ebbef78ffa4593441390dd44e8b875e80e92bc695e1697808f1

SHA512
53801f662e4c466d988a3c563d0c3336a2040762f2d8de4ef5bec170df4bfbf24e6bc27bf3dda9b798337fb247028fdedbeeb3e84aebed1919291e11f522d3e0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
f2240200ef21f691bf786a9f60b5383b

SHA1
0e99342ecfeb1023c64fbd1bcc85f20d8423c5f1

SHA256
4e55f1b68a3609f17dee8c152c127b46a0cfc110740de36bbf2713320df9e61d

SHA512
fa2efe6942fcb2601a4942fa3c5c0c9f34a06aee5433f26b7ca9a5c070d3facbab844407a3186b2f4dc20ab85bfba9863fdc7b3ebef454db1f8ff934f61eb5c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5e7268ce9bfe8c29306d52b174653084

SHA1
b8aaaff214de06cbe23e71ab995eb3c2f12b2535

SHA256
eac69962ad82ebf42beb89fe2a58d266a01e7a1b5175114eab45246d71defd83

SHA512
2414b4a23105ce8c3b5c2c557579ed6913a0c38e8936f914d3dfec2fec14b12f89f1827dc88dd228ab918614362194d52b871467efb511e2c8182761fd55617d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
af802eb2d28fb765731931b4497b8f67

SHA1
d5ff537f8be767fa540ce991fae44c7994d662d8

SHA256
4532ea98a4a1261163cc465a12130c027f9c177c8ab5c2c1cea131e3485efbb3

SHA512
252fd9549dd67b2ead81405069eef9c73ce17cd479587f5718c6e5099d9c6ca2d0dbbb14dd4687c3d79cda3dd67f4e5024f769142b48c076ad58d1deda57c48f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
09473410237991643da36c48bf5cf6d6

SHA1
6adc4dab2dadeb03d817f3c85efc55c4ae931f4d

SHA256
f94122cbccd016d0c96b421db883de055319eb4d372b324f91979399154ed215

SHA512
ef0a37e53a02f363981ec9074d2f805046a4bf65c6588a1cfc798b09d22845aed3e4091cea8a3c65aa8c5540becc5a7776cf1501935c79b8d5a0e36680d1a496

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
6985633ade6316542876c9fbe1d144df

SHA1
32cb0641d6bd5d94bafef3197dfcfe0bfb7ae10f

SHA256
8db25b70adacee48a3b22a4e362596aebf03048ddedb84f0f9f495be15ad7a0e

SHA512
64b4711dd80234a518d1547516bbd7bd2a88c00401abedcfb35c7b4f1d6045bde134a0be002129f43c380d679e447b8818f6a17827c7236b886f87e9cc704165

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
125b6bf98f96c27fce6ad824189bedc1

SHA1
0d22b31e9d81c8e4d667175fcd96160d8639888b

SHA256
58319ed54c0959e68617ad545eae5ae87f3e05094e29bdeb9941913f1e5aa111

SHA512
b2a2a9c86eec32db58426856813c0ce963d9e370fa189ac09931a1607a3aa081c178f50731b2265b8b38e4621815b9cb33e4c8d2eef0e790f1f980737377f06c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
fba0159dcbb40e2f12c094168c221f9e

SHA1
3885e1e231dc920cf61204ca6ecfae74776866e4

SHA256
cd00fb8c24a1c8de85d25f5aa03382bce53e74ee762becbf560f52147b224f95

SHA512
a1e8e4955b288ee1f054919f1282e02119c3929ddcf8368cefcf91eaf9465fa4e92f0adb846eac1d2512a05272efac74d0c96aa5b570de0575070b7b9712f055

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
93712fe634489977f127c018d31cf5e9

SHA1
1a18ab4440d22ded402662b696cc5c4bb1389c03

SHA256
5a7327e572e028e59490ce4812ec676915e6575fbf258e25f64785ae15e105e5

SHA512
fde5ef1f52403b13cff683b1202b0c3105f9018d9f9df7bb360132f3200d5efb93e0fe14f00d67d953e77f87c256d601485cb2f0f5f4bc36fd90b2641027bf93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
820cee98dc9671e5cbef3bbcb4c28ed5

SHA1
f3989a8ad4fb91edc8ae2b09c86478d5435ae84e

SHA256
b2aaa1124b90067e2b6a11b5b754d4fe03ccb74003e5d5642f1f269340e5747c

SHA512
c32db2fc3ad1f73c637b9bac79727bc00a30f353d3be04b90508907c05df1419614b2e2ef496e659076e634a1ff4e9b7327cea36cd3aaa99702da68b3ce25ab5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f591156a3a701f584446b3259fbafd00

SHA1
6e9614ea768679afcd7195bfe19230386273605a

SHA256
837558e5ff7a07dca5823a2a2374ba3f12df7b1ef8d4629c8c8b60556d657fdc

SHA512
250636357fb7729ed3bf5047aadf274b2f3cdf72fd9ca42533ab67bd43e73e15a06e70e4a35b7dc3679ebdc2017aa211fa0999f90f386f550cd9eaa5463ac57d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ca7b8a542fc2161229ae76370f2c0ce3

SHA1
d8b8494ce9c7412f7ad207c6f4a6478088b46711

SHA256
07b274ca5a7f3dd72385dc1e3117619d15627e87be9ffdf373739438cd1e9afa

SHA512
7b6f540a362a1776afac1aa09ddfae439f66e68e307a7fa352133f8732eceb7fbba31a88f9ae3865f5891cb8c8dcf170d80b87c4f391ffd4600be9a535783267

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
e93e214f6d05c8524677324b8ea33433

SHA1
e6a271f76578fe43c308320b673c8087e7bd0f37

SHA256
3ba4bb076dde4eb8458a0fe324ede73d22f05cc5e4ac721c9ca0e949a66e1b8f

SHA512
5d521b8c9369db326e190af9840e8ff2d8884ee9a4f04eaf3554576c076cb2e3f92744dec2e892af1398fe11619d56eb6cb2033f57b3a78d729d108a8c90889d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
e3636154fbf95dba4d298242e99695c8

SHA1
d479b83dda3cc4ed35b8cf1a4eae4eaabc4e489f

SHA256
532606fba3026afb305f566a048e4bd27ae8258db80608e0626509d930eb5f70

SHA512
6f034f0be57918b7c0aef4fb65da92dcb6df67edb727566d756de43b5349cc3e4b5473797469915db22f04a03945374200e82e96d4f4068703f61eb62cd28bb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
1b6266dbefecc8bc193038a0a56fb2cd

SHA1
55e99225afd004eab3d8eae50308210d0144eda2

SHA256
6f2280f2f979b31cb3c9362766b2049f12588dbba100f9f54fe748d7aaa794e1

SHA512
e8b88021ef8065fd93ae5c15b0e20d999789e94356b8aa31b292d9ce74b8e8d25423f8275f486487507887c3adaf50f19dfa1bc8a0d213bb3764d62932890e95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
2db6ad29d91d60dbe4fad658deeda36a

SHA1
fcc0388744c64e07da6204edda16a77792402d77

SHA256
8e705cbdad3d0b7338095d3a81598bcee2fe91de6d93c5a00e414b4c86622da6

SHA512
2d90a4134a5d7abe815c86778a27536e7a8fdaff0e1e968ec18efb2697f2104cf90d22a31630b60c7cbce8bb446858210eed765bb986eb1f75c69d76466aa61d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
75df129a0102ef3d77578c36ced5d37f

SHA1
e7bfbe2ed9af3bcaf384926a61ee5991e67ff3df

SHA256
13c2de3ab3de789fecc5e53bf1fe549cd91f259f77c4355cd4afa13f0fd34112

SHA512
748e94b2d756fbdf1f69e71cdfb8840cec2fc5e6594a5a3b533a92816a6def629bc99a8566040cbc7d699fe0177c230a7b45c54f42679bd985bfe16ce494ee77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
a990aea33adeccfdef2d9f97761b7605

SHA1
47ac7c3e8fa5757e0051ceb3dd22521f36726bef

SHA256
da77baca31d68873c7af4efb667cb2106adc6089c9d9e5a68eea26b905a43536

SHA512
ea7f61e6f12da778874a86b6a90af3a11921a68496c9b21c9e39bd93d70ef8c9f343674691983c49dee8d06783ed69b111b00df6883193bedd1b204f668b4659

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9935b505c85c9a6a70b2138d85568fd0

SHA1
897b1568f28863fc733912ac33cbf5850de4e59b

SHA256
256911f492d126836d78bedd884e1751243d0f07788010b184128cff4518ffa4

SHA512
bd3b40d09a214fad1326517800c47a0a9e4aaf9108f39f66fa0cad786d93f1ea94e34667ba89a966d1b61d882965040b53f6ac5749304dbff469909f312438b4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
ee9e2e4cff3a97746534bcf33aecd730

SHA1
afefe88376be4d9ce48c885b3fcc5e2866eeb562

SHA256
9811f7fa5ba0451c778de2c74a05109271ab27d5ac22b4615ca44d6868bf98de

SHA512
ab5224459cc95271e2b0fb224e5cdd9b9a0bba43682a068acab16e8d9c02eac621d023fa47c4c1d1e3ebdcaaf0b21adefebba7b520bd37b21eb7a11d0aa6b602

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3eee0a6dc4d86c51b76e0f418957e2ce

SHA1
4fff24ff2de7ad3209a455f6283a7b8392b7aba6

SHA256
c9e9f7bd32405c15f1f39a9fdc9748182a985850e97a5710cd7e4ea690414158

SHA512
b1650521b1b75b90baeaa23b367039a7501e406dbf474f63ae3664f2c6f1c133b625c866d8d125f6c0bd4c74446ba00e8facc0bd6b98c9dc47e9abc39736ca8a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cf32b26defdbdb537f7d23d3684ded07

SHA1
3211d3be4e653928ddde8a280f948256e64bf718

SHA256
013841e11c52c17dc73735d8da391d1aeee130fefcb4751e231f3a9c7ffc9637

SHA512
0d4aa1bd99cd1662d0136c16ac090b95a6215e9b2ffe3bd386f09c7fcbb15d1984819969db5eb8e6a37d12f0716c07928faad4d695d42d18dd45baa88baa92c9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
ae96bc3364f56ac6b0dff5b5341798d9

SHA1
0699eb240c10415043592123ec0413585ff98992

SHA256
2b1476c24b2ad403a4adb9f36207920cb3c616984eeec30e911856a14c353c85

SHA512
acfc5b79d264da2ae0af4ce236f11534a03a6e09e486e6f3ea5014eadfacb8071a61e4c6efe0ead6b9a87ec7f0905b284d32fe9a15ab40e2bd79236384ff9900

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
09c746f7b5c087ea298b73478655a331

SHA1
bc27ef404637d8b5ace22b2f992ed6f820707273

SHA256
74660c6e4d4eedce6e1846e5cd5e814eb19f8408df7d619b75770eff979ab4cf

SHA512
e1a8d0d1216c69ba8e6d110a2030111e2b2a5b8a1f5c1ac813958a15f4486a9c3bf134ffe51b89d22e661d2c4203cf1325e371de2bc2e004a6b38fbc8eed4dcc

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
b34a2b69961e3457511e6c90d10bd5ce

SHA1
4dc3d3353043bbaaf763e2ca676d2fee5320d305

SHA256
4198316f8bdf9ffdde6cf0498429ccc86fa7ce2cef274077bc3b33df672ff955

SHA512
14ed757884792dd3aeba8cc967f70bc312097fc8f882f9c6965816c396902e30ae8244adc837b0a23332300e7ad827cdbddf365630552bd64d7a6107be7f132e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
c458673f9047b3615c12c7cb1935aed8

SHA1
c1e213b33eb120ee896dca61e0814206177a6061

SHA256
094b346caea28065f72e32cb0b9245f6317bc08c26d77c4f9328e5574aea5259

SHA512
54c4bf3d7a95db0d907c3c92ef7c51a8b3a2bf4239c2f343b5ad305aeba425bc6f8b90269627c5b5accd8415eb44bdbcca5d26b50f025b1dd5e9ebdd0395993b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7476791d009f404c6e1d126f7ef8cc32

SHA1
14a3d02fabd85c22221f449c06e62cb7c8a229d7

SHA256
814b7686dd923db7ba96ff7133a2755d6ecb5ce76c6e3a5b404745f0ae4ced51

SHA512
720f265ee36823135d21757a23ccc4584b717a2090da180d83ce3aa33f0b5faa92520a16f215d4bc64b78859686ce706ab0029154ba4d05cae1a0e8799263bec

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1fb9c508297decead3b86c129accbacc

SHA1
9648b62dda7900f0b0eb04a846d4f5ad1098fcbc

SHA256
9589511cabfd5072c3d464bfa1de87e4aab8d3de8600b2559bb769a60cf367a3

SHA512
686f159723d85a68694f7b2576ebfbf57a78aa5ed344248dc01bb8bf833b8c2b55d3c61ce4e2f710ce0893ed15cf5fd1886c80e0dcfa35e301c0af74f5d9018a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
59e7da651c9f94426d35d19cff02048f

SHA1
baa571653150ce62b52a0ef7ef4b2b0be324c2aa

SHA256
0230b893509b2f7c93c6ccfeb72b580fb6baa5e704fb01682d82ccf9afb4b10c

SHA512
c619a6573437994d72835f395ed65347774adeae0dddb5d2e9f68212a91947a3cf1c0db4de95d2adf4a4cb121a101f0e69427393d1253dfcb837376ca993f32d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c4d737728ac3ac5bc6e32d34ba34aee1

SHA1
2fa396a6fb5411cc5f16e2edf78d84bedf4232b1

SHA256
3dfee28d3c31066267a2df51f6b4bf2a1ef410fa82131e96e06a86bceeb17fce

SHA512
1119517c512780d05357aa6a414528bf46248af3fed3e20d51b9e6e6e032bf57c0542a4253f6a09500046e6f69ee98b3b6fd82e9509ba581d87c2eb072324045

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3e598521dbc93a489a312c63be2eca2e

SHA1
a924fc5e3663679053718bd532fc25da7fa31fa5

SHA256
aaf602c25aae533dc7f7a84a933bd9090433dd4903c2abe2fc6937d85a7baed5

SHA512
18c3068c87ca1bc5be638c3202f84fe5af4e09823bf23976b79cc9a214a9bdc11a401b943704b10c2c566748aefb20c78b6a1a049d9219a20c5f06e383480033

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
88e8b02387b8ab1aa885d6909e33fa46

SHA1
89205c87d6b27e0ec05a490d8adb391d5ad79379

SHA256
b5cc335c23965be92a7097f85ae74020d3ba0df94a866af1cf9cbcbbaf164cf1

SHA512
8fb2f7173e2fd4f6de208d606dfec9d0129a4a324407225e346a505daf5096ad5517f8096239e81072d2250d8a569850132f46fd3f1aed53842d0f21f5e8669d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
930ef62a67fd0d738c09f7b25baf169a

SHA1
2c4198b6c0426a03c33a10571f463968c4df2fe1

SHA256
8de527e672663f29dfef8ed64ca3d83bbf6393dedfd7f7a488d825b8da910dc7

SHA512
8455bf895d617fd601873846ab712a21fe0bfce689f2b4238081acae5435d0b16f20277b83aa4a91a28ca75757a6c2deb5e32254eb8496a92c92057b055ff249

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
323d00f1e82a3e6bc74a8fd3b45e0241

SHA1
1867f0032a6f0221ea514bcd64521c82412fc9ff

SHA256
5b6c936078f0feb445bae7bbb4cb70f81f37f7e41a5be4b65c528a00eafd79ab

SHA512
d477cba854de1578daf402fa631b3c572a4e8235d518a72047f52149487ef4cae043e6207812fd34525453330e6af693899c0966a7c7dd036c3a74d4ca13ad16

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
03590c8feabae373058c90bc526570d1

SHA1
330885b99617730b292c0b904737513459c11fe1

SHA256
072be99f7e88d3777d210483cecc9c580e02ad6a1a742118026022caaa7ddbb4

SHA512
b46ba7666715a8478ddf5c54c9963ccbf62a5af5803f78564eb1fd76337ce0d588cb1fb8eca024b773dd3bf789af48f649d717833c1132f8fbd5bae87a56b130

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b65c0131b9c4b3a91a3e38b17efb1d21

SHA1
091307dd2f659c480865bfe503c6bf3c613716b7

SHA256
d8a38c726a1a1e6502aca7e7fd9f7fc33a19c8a2b755d42aabba8a938bf27635

SHA512
30c9ff9cbfea16f75d031e27e43469d565bde29af7534fc67760c7c07b8c9765db1911951bbdaea0f4385e113bc9b7a1a0c3a07b569cd84ff120387fe2672a5c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4fa93c29b3447a29b1f4194a85292dc6

SHA1
9ceece92c7e21ba9e963d80ba5394dc180e77feb

SHA256
44ff522739899846fa52b918aa232aaa0a6270d3fe899d6331ac7269e0d0797c

SHA512
0e727ad04ed40fea8a01b33ec5a9906832fa289b1a679993536cb0eae05bd749f9f34ba814a814666c3b641410ecbe8a4b908d85dee8727ecd4a4954102338cf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e57bd9e34657fa130a5db6d999257073

SHA1
dbc111d8dd6d78f7677c0c2dfcb86b4d741e4cd5

SHA256
21d3ae286ffd4495db14be71f92d86ea261370e7bdb146c80bd5a9a57aac233c

SHA512
6c54ab31214f9402fc5f452ecd113ff9663d08ddd33853e2cf75316a1b9683c95ee62d0079a6fa6b6fdb74a3ecc5694b3939663c641c2caee04c0daf755623b7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
499d5915175c21c32f373e61b650455c

SHA1
bc5ce57c06ac3728a46ee4bf12e42e4c6314016f

SHA256
41421eac9c539eb1266e0fe16d623342a06428eef4461b385daa4120923f5ef1

SHA512
c7fb84b929ec7c9eac949ba7441b15e8328bb75ab6f1bfc1515ddb490a9a7f3d20c71150bb760cab992a96db2eb73a2971f1a2ad1aba391601daef3f7136c155

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
77150d9c443e9c9bdc15945af8348952

SHA1
384a4e1ddfded11e4dee26aa1148526e0cd1e7f0

SHA256
925492a6ce827743b1ead5f1cd7f915c5c5a8b3794023e31daf82c44ff779e42

SHA512
5b484c9f7769436257a8d364c5a60345c339c455b7668a5000e75ef32278638235cec71f871e656242a49639ccd87b7e503873f189d5136bfe2309c87008ddd5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
a9b2781d94d2e5a529730b26f9ea2623

SHA1
3fa168bd38b362382a4139c15ecc1e827989b7df

SHA256
e38840fa1724c2c9f5f051d2ac355a4894c4b0cc28de63834c2fd2a3f942b83e

SHA512
d1f229dea87dfe977f481e7914718717d365523ff7aa51d4dde37343a3671194cc241841ecb50698cd53ef5ce50aa3fd83d0e6a5307cd966e700e3844d9c2847

Download Submit
memory/780-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/780-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/780-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/780-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1216-33-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1216-32-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1216-131-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1216-39-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1284-110-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1284-164-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1284-102-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/1284-108-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/1768-374-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1768-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2092-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2092-373-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2092-173-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2360-7-0x0000000000860000-0x00000000008C6000-memory.dmp

Filesize
408KB

Download
memory/2360-6-0x0000000000860000-0x00000000008C6000-memory.dmp

Filesize
408KB

Download
memory/2360-0-0x0000000000400000-0x0000000000662000-memory.dmp

Filesize
2.4MB

Download
memory/2360-81-0x0000000000400000-0x0000000000662000-memory.dmp

Filesize
2.4MB

Download
memory/2360-1-0x0000000000860000-0x00000000008C6000-memory.dmp

Filesize
408KB

Download
memory/2380-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2380-222-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2708-375-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2708-169-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2844-132-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2844-305-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3352-148-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3352-365-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3560-151-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3560-71-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3624-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3624-372-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3628-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3628-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3740-174-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3740-376-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3756-145-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3756-346-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3844-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3844-82-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/3844-156-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3844-75-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4124-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4124-168-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4436-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4436-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4480-371-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4480-157-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4624-107-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4624-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4624-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4624-22-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4660-160-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4660-96-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4660-90-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4660-98-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4748-101-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4748-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/5040-62-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/5040-68-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download
memory/5040-69-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5040-64-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/5040-56-0x0000000000CF0000-0x0000000000D50000-memory.dmp

Filesize
384KB

Download