52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
77s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
Size

1.6MB
MD5

8a94c8155c324d52442d6d6164691175
SHA1

ae67f239d02b506b03da027f873abdf6b58707be
SHA256

1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3
SHA512

e88b8ead2c5762476824026ecd934432eb9c0233e368fb22072fc9ffae30e4dee20c52040035ef3f0c84b11dd4016f480de4fc424375de0c12ddaf97c88fe641
SSDEEP

24576:bbAZEOK4aS70yJi/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz:fAZEbppyoLNiXicJFFRGNzj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2800	alg.exe
4548	DiagnosticsHub.StandardCollector.Service.exe
1036	fxssvc.exe
548	elevation_service.exe
2060	elevation_service.exe
320	maintenanceservice.exe
3108	msdtc.exe
1908	OSE.EXE
800	PerceptionSimulationService.exe
2432	perfhost.exe
1372	locator.exe
1048	SensorDataService.exe
3692	snmptrap.exe
1564	spectrum.exe
632	ssh-agent.exe
2600	TieringEngineService.exe
1432	AgentService.exe
2004	vds.exe
4776	vssvc.exe
3032	wbengine.exe
4788	WmiApSrv.exe
3960	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\locator.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\System32\vds.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\System32\alg.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\8294a460cad6a2b9.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
4784	2896	WerFault.exe	80
2632	2896	WerFault.exe	80
2592	2896	WerFault.exe	80
4908	2896	WerFault.exe	80
2928	2896	WerFault.exe	80
1008	2896	WerFault.exe	80
836	2896	WerFault.exe	80
3832	2896	WerFault.exe	80
4436	2896	WerFault.exe	80
4604	2896	WerFault.exe	80
2284	2896	WerFault.exe	80

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000325ecd0d7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f144900c7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb3b5b127d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009521100e7d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbf5460e7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
Token: SeAuditPrivilege	1036	fxssvc.exe
Token: SeRestorePrivilege	2600	TieringEngineService.exe
Token: SeManageVolumePrivilege	2600	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1432	AgentService.exe
Token: SeBackupPrivilege	4776	vssvc.exe
Token: SeRestorePrivilege	4776	vssvc.exe
Token: SeAuditPrivilege	4776	vssvc.exe
Token: SeBackupPrivilege	3032	wbengine.exe
Token: SeRestorePrivilege	3032	wbengine.exe
Token: SeSecurityPrivilege	3032	wbengine.exe
Token: 33	3960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3960	SearchIndexer.exe
Token: SeDebugPrivilege	2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
Token: SeDebugPrivilege	2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
Token: SeDebugPrivilege	2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
Token: SeDebugPrivilege	2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
Token: SeDebugPrivilege	2896	1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 4824	3960	SearchIndexer.exe	122
PID 3960 wrote to memory of 4824	3960	SearchIndexer.exe	122
PID 3960 wrote to memory of 1056	3960	SearchIndexer.exe	123
PID 3960 wrote to memory of 1056	3960	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe
"C:\Users\Admin\AppData\Local\Temp\1df5732dfafe442990fe6cd028f96212d27e68c2922f9acfd74e8dd9f75e93d3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2896
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 816
  2⤵
  - Program crash
  PID:4784
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 856
  2⤵
  - Program crash
  PID:2632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1036
  2⤵
  - Program crash
  PID:2592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 840
  2⤵
  - Program crash
  PID:4908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1076
  2⤵
  - Program crash
  PID:2928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1044
  2⤵
  - Program crash
  PID:1008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1108
  2⤵
  - Program crash
  PID:836
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1584
  2⤵
  - Program crash
  PID:3832
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 1880
  2⤵
  - Program crash
  PID:4436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 972
  2⤵
  - Program crash
  PID:4604
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 936
  2⤵
  - Program crash
  PID:2284

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:320

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2896 -ip 2896
1⤵
PID:1440

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3692

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2896 -ip 2896
1⤵
PID:3528

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2896 -ip 2896
1⤵
PID:1716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2896 -ip 2896
1⤵
PID:3424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2896 -ip 2896
1⤵
PID:3912

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2896 -ip 2896
1⤵
PID:4460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4824
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2896 -ip 2896
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2896 -ip 2896
1⤵
PID:1296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2896 -ip 2896
1⤵
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2896 -ip 2896
1⤵
PID:5100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2896 -ip 2896
1⤵
PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6b21ed1f6ccd36539ef79abb39165c9c

SHA1
afaa9b5c34b87bdf22c7750f865e93adf679a73b

SHA256
625515971254f227248fdf195298490d9ab8e6716ace6e8e5995e929143e5eeb

SHA512
1790c552f390c31fd61f09e7291679f87743aaf2ff88bbd6f02ac5790f1387d4b3e24e6cb318f6a1187bdc00136029ab2b66f4401926cc7bd020addd23835402

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
e76b18c0bd19e12730d35ab900d0c72f

SHA1
61d4ad6749238f3a0f247312d8bef677c74d845c

SHA256
ebf45610296e00a99598a45769fdd4d0acf005d7bb74dd196a8d79ccf3c6e80d

SHA512
94ec472144f0d24b31999a07c81ba4781eede6f87618a7e8a44b5a0a183fe794d2878829d919c6eb0fd8959b3429b2c6a713f63ba57758accda9aa7a99edc9d6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
5a6456ec1d7738325a5ce48327d1be99

SHA1
19cd28d15d9b2eafad0a2144914af6c4d0e1ae7d

SHA256
e81ba9e054b1667bb25fd4a3753ea3cd52bae2c2d58e67df26abbabf6db9a27a

SHA512
2eb6b042318e608226a64280bfbd059cf6b8501045e9baf8d606a90853a0379aad280a92d3df79f60437910f9dbc6482267dde693d93018be5250e28ec58f066

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
fa5e97f0eb61444398b3f1498551c8a7

SHA1
b5075bfc903922b601d94ba15c109ca7933d088a

SHA256
823c453d6504a22efc901581d99bd2b69216502be7546d86dafbb4102c26c4e9

SHA512
85a5d4c5a206ce8629b858080ed1e0320650fab08b8d56d4828bbc12fbe01c093340f9f84d403ffac12269a6010c26ed9e1858b44835cfe2c8787bb7408a0968

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
dd659daed1b0dfef6fd600465de2b152

SHA1
8675f80fa0f857ff7f3cbfbbadfde2549e964b64

SHA256
b4007e53d0fab56008ec08ae552e9774b9ba72d126e4ad482ea991fc4c544095

SHA512
0c80db1f20a66af3d42577d8016b3777aeaf526b6f9e2ec8833359ce4864c5e89a1e4d66d0a053889cfe45ca3624bb89b4ec2991a735b38776d33dff8096d22d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
97ee78b26a0a8ec6186aaf290ca0018f

SHA1
e8178b3492a57794f67ff7d7fda4651307997bf9

SHA256
97497a03e04e734ea7c16e0f4c6a952a8d18d7812ce8910a478fa2d5d3803514

SHA512
91610b1e6c12c324dbbb201e3363729141f1555870a966eb27c5cd79b50e6facdf31d023019257b5bd727a4e19f945ac9ed9b094c3275644063784aac680e47d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
33cc72afc3cf73fcc7408dab779d56aa

SHA1
5da361356382ef474ab71e691a2c3f57f00a2272

SHA256
5dc248b98e04900b6cb154d69750e9bd92daa0c37336fcd88a6d8b3e4fd14246

SHA512
339c3e413714ea7aa4e2bc9c19859251d71b90856fe64960600b9efb8ede04253f4b641309a12774b0e5741283652927ebbe9f506b90d19d8cc81e45a99a9443

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
389975fe1bd65abc338eaddd7b0ec477

SHA1
d347fa12e65982e9bde5f5592b0b9fbac1fa0c56

SHA256
e924000e3a75142ad0f9d452602f53969b0fed4701570181c9bbabb5a728ffb8

SHA512
6df7e8ce857694080daa9ebd094b0b353efe0e5b506ef1f7246497ecf7b4f7a98a17988f1b07f3bfb65af1b6a083fc3d39c763221699160f632384b0199df590

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
99db5f1902c867bd6853da27f35b8513

SHA1
043f7bf781785a90fe947d77c2792e76364110b3

SHA256
d3223b191309aa6c3c43cba967a28fa9a7203a28ce78a2ac0d06b70427f4e4c6

SHA512
83af34a801512ab0170fd6a9ee29bdafbdb1fb101183263803f2a03500ed7e1d67ddc36eb225e1fffddbadda6b752e981afa02137496c5b970d9cfea8987ca82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b33c39ec489bacf6968fc84a7c4f7b40

SHA1
a09f4be18221b7ab5474492374dfee027219fd9a

SHA256
5709c180f5976facfa4965026ca20f9ea07641eb4adbd3332a73bc727e67bc28

SHA512
d64702273537629c7f040ce331a9c4a386c2d885cfe15bcaeed1e8d403debc016f9529b2b8c1b3e8bf086468d711b0a792ff680c67a889a3509486c84d39397b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
57a3cdb844a1242bdcfebea5c5259be9

SHA1
2a6794c445942aa262ce8678713e13cf604fbd45

SHA256
f0b5594b2ee804b62285ed7a0c23e212f9644a1e4235b7ec04d7bb53dbbd561c

SHA512
94dcd18c82cc94935495f63b483437aca72292f25ce72fbed94c96dd739895ec47cf23d11b6bdcf5d9bc10e2ed83f6980fa12ecef990cc9f444873ba6e1fcaa3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8b6aa81ef20bc5613c14d57e9ef47f2d

SHA1
1849e8d5cfd41a4c95b158943f619c73a257afe4

SHA256
9fc915daf9c63ed0c29e85fd913f50fac528c785da95460f1d3fbce75b735a87

SHA512
20abac43edf51f372f60dd4d2c3ab20d7ebdd7007e15ff11773c3b47056bdb6812eccc780ac7da20e484c0e43d0668c8d798d0269b967557ce39577cd0e723e8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
22fd3f8356d89c43f7179eb1a6b05322

SHA1
70a665e943c9c4fb09097078a12599b8312a476a

SHA256
3017ca9f9248798d3e21d5023dabe36d4eb163221712b3333791f3578a14842f

SHA512
612420e03a33851a02a05a911a269decfe4bc0139242e2b975d37cebdc4f695d99e3cffd7800f58218a19d832b67acea362ac39590c66d34b459833e5cc2f60e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
6559e4483e7285b819a3faed96a20600

SHA1
165955ff280fda7534f8dfa40f8751f1dd305431

SHA256
364c9b81b6f6e6950dd8c8927627ae82094347a6c851400069b362d95d7f0bb2

SHA512
a00bbd3978bab749f1ec28f38b63779f8e5c3987a23e35d1ab1a10c45d66bfbaf3e8f34a070e50c2426747b00887e49ecc6e12d21f5138b5e05573cacf9c875a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ae332d808241a2e51590c1d9562a02a5

SHA1
1ba194019fe844fe358dbb5ceb4f6c8c8cfe4df4

SHA256
79d6cf260467c5659cee873f4912c6478f954b57e81dd4f168ab9e98642cdd11

SHA512
99a132e14341f08024e232c962b85a46e163cceec08423c1e2570589f5bb19e8adc2f36ca68f5ebf1dbb915e135f98bd8fee5e5b05bdf2a8c72f28f895699cd8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
ad25084fb84cc3095d41be6c17b93b44

SHA1
c957fd5f7dc332f20254c64785ac5e0a4380a7c4

SHA256
14798e06594f0a6999b9623af003e31ed05bc0b3536194fd635eee6f4bff851d

SHA512
c637311561cce4d1dac9b04ef665a042acfaa4c20333f8a42da546ce63791e640fae31227d39a9af513481f50ede7e8d64b6a41206a10dc8510f7183f2f3f99f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e440825be592e2fbef45f3726bb39756

SHA1
afaf09f9ca57f30422f520abe131c4fab3903868

SHA256
6066f3afe5873ee458ff062b25fc6e4f5824d6945b2ac43f326d774acfa3d4ce

SHA512
767cd60e4f17990cba272e57434e0efc845d02c88613652f5ee308670fae611617122f353d1bcdd5997b97a9987e1dc9bbce28c91a2d908a0a6414b6360a8226

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
0d22c819407ccce32f0ae680b88889b1

SHA1
e26e1ef4ef20c55703edf8bf263ee20d2bf4850a

SHA256
fa88eb61efbfebf96fd13b1f8efc1ddbe45fb2889e077761363194d104638cb5

SHA512
1cb2abc2a6d0d577d597b9a1a798655f924f6bfc1557a9504e9ae08d86fa962addd8485d840b8de5dc37159afaed37f2a93ac889b1e857dc19540fbb3faf7f51

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
ab8eac33f228d8344a90d041217cb595

SHA1
d93106e9c78f08414598e793a584e908e8ea2380

SHA256
aab6b091aaa1111291e1dcd8d65a70b59702493afeaa61584d10ffcda3e378ca

SHA512
1a38194def47072478d4b4a3fe13144d574121781ba6a1b2921b72a09f9e2be5615d2160852c51e39ba3d83f0a62376175a20fa7e98d28d4a405c09a24ffb78b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
579642b289d2af0807c940298d306ba1

SHA1
f44ffdc8c48f58ff387ed4289cd7746da63ce645

SHA256
2ab87795e86c70afac12dad1f1bc471894c326d267916bd380ef33f2eb6b9952

SHA512
d838cf1adb1e51f061e136c0ca23f62f00e9606fe81c27a06a1da4cc3adb1345089716e6a86266f33f52f3601719f7c489fa948e1c7b3e00e3631bc945194557

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
bb7ef099d7fb998b7d5424d766c9e240

SHA1
6bbd31e8a989b096927ab35197e23a972425a825

SHA256
4b17ee3722db993c793f2628a9c8ca213bb3d0eb491d52e137a2cae74ded504b

SHA512
f6310f46deb907496143a2b0871cd92aae1bd1340deff565449f9c9da71972f7b2df34022bc8af70ebaf1e9661f69a644c821d9b37fe7f3ff0ba8ea41efb583d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b8e39e3522f5250f9863bbd25ca5d671

SHA1
556b9c7b828b35acf237c8f7e98aff7b7c9d4313

SHA256
c5ea551743ea7257ee987eb4a723a66b674be53d45d7b9062e637574e9169ba6

SHA512
d9a687897c755957cff773ba775b21b1b4c91fc11d93ee5f43f45d7322e2cd73dbc2e3b631b7d002ad12caab08825601a2948f2bcf2fd4a66def2db00b588f00

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
2dcb50d490f99aa1d3927e4510e95116

SHA1
8ed150c295bed5e865e9e8bdeb1226ade352dde9

SHA256
601f03e4f0d8eb75285bf53b33edef49c01a92f1dde62d9cc3deef794e8ea1e7

SHA512
a6f8b63022896488602fc9087fdfd57c057b1b331229657aafa22986a1090fba3406c45eed722d4d87e4d120df0b4b75d0f428e43563ba5e7315a2e4b21304ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
a6639505fd0765d5a6f914e0967bd261

SHA1
dfbe65a1329a10ece8463b7316f13dc59c2e7fa8

SHA256
413137bc59b11d516b5484af16dd5186b81a90c234db49875ec9cde9aa9b7726

SHA512
50a80cd3ebe851f4527a16b376f37463a0d66258881025a623cd5b6cc8074b56e038087f07bce74c6bf863d9159292cc2425ed1238072d30624025f7a7b2b4ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
6260ed10b15bb55b3b095fe4ec8bd774

SHA1
2a6be86827abe021a359f6e8a37f53285af63b61

SHA256
7e620a17473c2ef80e2d7a805b24e5b270abb2192df5a34d4b4f58a05a4b890d

SHA512
b5af59b10adbbf34e7ffe4fa15546bbcec4a58ffb4ab0c2651c789f78c6ad83d6c4adcc0eaa1a17d484201e166fbd4008c35acd2babf6edb16d050a2897df435

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ff907ddcd2925b62851f7a995b85a4c0

SHA1
b2dc9f90e3c1222bccbc570a3f22e054693e7b7e

SHA256
ff914687c65a81460e762157f9bf64a72d41c6340a9fe6939bc721fe5dcc6bb8

SHA512
8b6a8bd4b6f83420a8e1df89fc21d6a51c3693752c344e38b2c78110860cd3bfdf0a2e737a0266e8b6a7778a64f1a5fa351811e98e5d22187e66d890fee132e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a1a99e74a9e4424be7052c9226a29065

SHA1
d26ff737ff95e302471ef8b728370cfe53c79496

SHA256
b5ce974d0847dbb1169733874ee33e792add16443c5ebf93d268208e018161f9

SHA512
108a2b6920e59c996d28da5f19ebc8142c8d7eb3d0983e8cb12a67baf630e1d663e079ba57c3194984f01c4e07d252f6cc8279b350d6537068db91f8791ec6d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
f7c9d12f23f3d8d79176572f260dac49

SHA1
82ea17969e086bf86efc595576a9e7d25a422114

SHA256
714fa710bf30ad992d36258b1843b813516d8bdc436a8e7be2953abdccde1226

SHA512
ac1e6fc669ebb01ae1c1af267e510025438e4d2ce211aff43b2920c7a4acc8930135bb0f7db850bf792bb7940bb3a6228ec117a7ea7c11210f37c3c5dc5bf09a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c5b63083afd9f6dbed7bc0859931ddd4

SHA1
6f3df5ae435b5840937c9e2cf5eda46cb0bca12e

SHA256
b82d2de18747682a578dacea07162df7b840ce85d02ce373c75a3644c8ac96d6

SHA512
15150223d167062143aa722e55f32163827314b94cc7ec8450111b4cb6cdea00f1f435c67ce018595a305b11cb8dcd5044b998b2744b0ba6b03fa736622f1d9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
72bb9e86d91c591fe94383313e568ee3

SHA1
795bbd6ad734ed1bc3b9cd7edfba2ed72959de10

SHA256
359d772e5784c2a20ab3bc42b3d3d2c6f664da66b42a8871fdf37bb122ae27c5

SHA512
393da02f0eb594f1542384d745e53b618bda05a90d4a67bde2d4bd1fb4f541b5b2e727cec6667647ed2ed9caffbc18836202e58eb90a4375ae299cdca3998352

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
9e5e2548102cf5b79102764366dca6fd

SHA1
16c5af9d6c85b3c667a4a50951b09b847c73f9ed

SHA256
06ff3b515d1344d3ed702a035e8be80fb6360b7c118e8e8df7fb6f15e6f6000d

SHA512
b05dd6e154fe5823d935ca044b6a7708432625d85304942f66fea237ee900e7faea1b1d998ed17f59454aec23e892d6bb32b9693b03defd15e6a18926ad96c25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
5d8e24ef8c9ffe5db1017dfccdfb346f

SHA1
28f9382e057b3ab57c5a49f49d99317207ff2257

SHA256
43dcc5d847b93d3f6b375186f7dfb72bfc8aeb3f0023e8037ea3a79a093d02c9

SHA512
59782d46b85ead233b1e62f0b194d426ac3af344c3c648d062754404b7e0602263180bf0dd4127273cccb59a0d2c9b4192039de9e5fd3064ce5e7736aad35b41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
3e9d846354330abab6a196d5c070c706

SHA1
a580db5bc8d756dd9cacf74a9acc2ffb98be6882

SHA256
56ea32c738c7469e3a4ebcaf556f770b24dd7ee31861ba32be6ba6ed1ad81c12

SHA512
1eab45f000c9b123fae411fbab995877f3fe858df39cdf2795a5bdfb3af08df637e14477bf5c860718aa6d80cf81213d1b19833d5838a462d21692d194167d2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
a5926454084b8f46e4949400ce3ddf71

SHA1
e85fce9ea13e2c565fa046d6517cc778bc8b43fe

SHA256
caef0ddd22c2b6f8709e8a10b738eba3ceeb8edb526ba21265611cb64d3adec7

SHA512
513e048bb344ac9e9b43cda47fc8b88e51b2f4c71964fdaa865b78d1f923dfb304fe07c76fec249471ff903ee92cbfea72023ec428087d9075962b9f042d68d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
b996f91870bef590caec2e81e343772d

SHA1
0619225a146a646963291cb0291ec8591fd482f5

SHA256
4e6d824f20d9892521b09f90b5c2a8fe5e11b7b5f7f6826c5067bcfe0eba289d

SHA512
206497df0be27b8f85e1c94bc6b15e44b18196075d0d868842201843f8a6fcf99872be5c05a834ea8d2010e53ebc6ba6a30e5fdfc5b4fac4d13774ac9325aa14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
183da81eb8aefdebcf8e0f6fb0965318

SHA1
ea2e62d30976c4e780af569d87ccde1d63a31717

SHA256
54da2544e054f8c8e03aa4546c223dba5cf3da64d27ec3e383b6525f2c560663

SHA512
69625a7fba8cae1ab83821c9788ab66d346e2c19421a17e58f9e67a1caa80332117138601aa6a860c64e0004982bccfd65262af041530cf90c67cbd19deeef04

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9c412e4237eadcb03458e523ef8ae500

SHA1
bb6e0f815710feff0171debd62926b9391688a8b

SHA256
828c7c43ba35f4244609e7aa4ce027c713f2b5fe965bb6a7cd0ebb674cc02b26

SHA512
2786b10f9dd354a483dbf996c59cc50edf5d406aab5f11a26b3e40c2ec377dd8d5c23a9a7013ebf06664395b051bf3f1ac6f1ef29b1ea4941fe0f7ce0590a07b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
d5071c1e5c09f67863e07a4f9eae9299

SHA1
f9d22d9ba32c3286739d5d6b6b8c24ffc0928970

SHA256
30d280a4247d9f72440174359463953d3d5b185c8b9d1760873e922a16bfdcec

SHA512
7192d0c8a8223ca6f77afc6dbb422d9935939cf356a517ef6190f4af6a557021e148cff3c302ecaf19d7d83df21d7063feb39c98fee445b8cb5b0e9f6fc2fab8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a9ef49c2ff6508cdacfcf7b2e3effac1

SHA1
1c6682f8c2fd70c8bebae0469e0440bc04557c19

SHA256
2df7e672c6a13cbb8f7c05d51f5089a467a4ae4b9867b272c16908e5812ce692

SHA512
700db902f55c8980a6bb2ea1b345553d43260d01b574702852a2c5103691fbbb036884f921c0a998538b5516f486202932774efb36db0c5f0bc90316ff050c4b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a507e1c17c802a2fba3683e645650a4e

SHA1
32d6d11a31a0ffaf8d73df4ca41577c82147520c

SHA256
180fced96ce14c6236fbf7449c990f2426ddffe680fb0eb3125b029507ba0c16

SHA512
b4f2617dfd5aa476405383e27663813b10101341c81ff649b297a55174477d6071caa73fde9321d4b66cc46aff6047f6582100db5485839e00ea961d45056d14

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
192bd1db8b10675a00af007f94aa0831

SHA1
8403a7890f3499d355b838bfd197eea860faa209

SHA256
3c1f7fa01345b80f6527162c82668f1c30983a3d0a9af8a7444e047310a463ce

SHA512
3afcd83d7214b4a6f74d113c5eea7065f884f419c1fc3a5a29f60ac92ea1aaff2b84a94d4bbab6b26a0f59c5b186e3ef36143ef9945e99d87a247fcf346840fd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
680779f8ce6398f3fdaf4f8b1a3a9fd3

SHA1
f61f79e1730dd17ab91f295df9e89d1334e9c8b4

SHA256
684d7e213968d07043db2cea7a9bad7f57d3bfb819206746927a8d68feb0bb9c

SHA512
0db10d94fb01cb8f2f13f93ab788ca9802376ddeb9172f71014d168e5e24ea5b19ec02f04211dc6399f3a9fb134eb2f242a3793b5c26b2d942d4dfd9ca64685d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ec5a93a69b19351f0cccea1f88afc7d7

SHA1
3c35f5251f41e058a42301231da079c28a27cd15

SHA256
12784c6be8797d984d33638caab94e592e36aca5404ca73b06f11f97d9c3608d

SHA512
e69915b6751327c93ac05b9828da10fe07809630c641214996d6aaa19043f2278046606448ccc9a88bc3e47b4a7360742f459d741eb7b3e445c14990e4a1d577

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
140507bb26f6f16332e3713b390615a2

SHA1
1db78f8dedcc09d9f6b90426bc290b6bbec6e7f6

SHA256
106263acfd3f72fc1f1dca25dd454e44911a9e9e7bc3efd563f3260d41c0f397

SHA512
9677d20f5f429c131693fd60ecf2720d08c9537c569a3b299818ec8e7ff8940c2a0900c15385da07adf7184e907b9426fa9745802a942fd61dc94834aa5299f7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bca4ae47f9361222c0e87cc88627eff1

SHA1
46766254676de6ffc861761b1cd87a28c85c70ea

SHA256
911226dddf3d05d869f1c7609a82f6e9aa73013a5bfe59a50159d5e634b5d491

SHA512
1d33cc7f0763d9ca5117d712c73f439a7c9f49190a5c4d0891591a69e6f56730f8db6ab0da3de654ccdb05d9d6464a5d8b427197e04739614c5bf3d088fa689d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
98e5cd4bd81447223e2d87c8eb54e603

SHA1
c361c2f64700ecaa40f80b16eb6c050c2d1ca5f5

SHA256
fe07b0928055f828ca026000c43d5e400e4bf230fe5f8ff7194a15fc0376c0eb

SHA512
4aaf64331b5f6355cb89d4ba517eeca7ab67a30aff102572a96397826eceba5cf772a9f599bb09e54257c27fd6c916354e2d7f100c40775c5d283d49f395511c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2707234254e3009d9468eca59ee1b5d9

SHA1
e9ff889624b799b0e96b51354bd9eb6994b3aeef

SHA256
fe39de38bd9cb277f134fb192608ca24e1c300a65c62e503dce7dfcf2d1b9f1b

SHA512
3cbc30c12141c2b9160ab0827b689f411bab0228419e104f372db940538885cc0615d2fed32b3b81d7e3867c2d00077d62e74d6d9b75ce7f2427d9952d85f847

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
027fa943cca66a809551716b3458f8ec

SHA1
35df79b73ddec787616d48ea83cb57dcb3c4dce9

SHA256
89ea0bb7984752fa5950e88c32865d3567cd718183ccc42e6d150749ac11c3ca

SHA512
13e605d5d7cd0d5511a576eb5e9e4543925f776fdd057705d3eb2a027acd28e9dc998fb5d3233dcaae28618ebf4a600a8fb2bde248dd7ce5b78fae980a6e8992

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a0c297d379b0bfa005a7d41a3c039fb7

SHA1
48fa5e657860e908ccdcb5be9842196b2cb0fb0c

SHA256
b022c8a6b14e260162c05ee6c154d291be1bd3720364b323ed1f2ec8767b4e5d

SHA512
fc79f1fade4adbc32b8451bf51990bd163efb1ca530190e3cb2138f5badff03e13a6dde26e563a9b68618191e0ecbd4b1e975e5fa018a77d725b502492b33027

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bc3feea626718fe99e736e78abb81c27

SHA1
dc056a21459e95d5c57e541b4e4b257476b272e6

SHA256
664d80c438824bfb1f0f6192f195ce2229b9e4b5e6df7c1655dc96ac2256b4cb

SHA512
9090593138b1571924bc38f9516477363e03bd70523f94463051ee8e535478c62e921de9003038d2176afd98496941a2fcbdeba45909c950541d8a6f6c31e203

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
7b0c3348b373965d249168ee4e3dd28f

SHA1
41195c16aef95719bd1fd114ac7df8a03eef38a8

SHA256
8b0f96e959e686665e7717a5890e59e2d6c74d141ade0e3957aca432308d823d

SHA512
4536fc130a36735ea3685ffdd212a0d938e874e671509d8fe0e0fada68b7ca5e5158143f838ae1abfebf8636350fe50980210aedc1fc94264ea08af85c1cb308

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
36e54f5b437040eb36122333fb78f18b

SHA1
2bff11cd7daf747f607e6c6aec9ee4ee45418e18

SHA256
78dfac624ad3436451fe7ee23644a74ab51c0365327bce77eb7333055350e9c4

SHA512
ac42b565a1f23a953828cdf7e286e997bb091d3148027fa617f81f38f4507d517a962da407bb9ab76477c2ee121f94e9842cb32da70f2151f5612b0e2ebe15b5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
fe4c3d84306cc3618e0aa35c2b5b5c1c

SHA1
3de45103c35ee2dfe80dfaeaafc015b53e456c08

SHA256
8835fdb039d6967f05ec3238806f8cc87ed369e3521b43145999c2e361ab0977

SHA512
a42c15aa164d199889958d8f752b47360a1d19cf4563d61c75abebe274b3ff06509db3d3c37e1cf22b5b7ebb2d47ce1df4b4b3df6a1ff98dd70f1d92e3d9e2e0

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bd2a934841cc449ca98443015c50e5fa

SHA1
f46d58f332b524dad5f2a16b5db7d89fadf136a7

SHA256
c77daa12dd2d17efaa4ca304593466324ea4713542d0755be6a912ec608166ba

SHA512
be11144c98aa7d76353f71fb1818b920c9410c87ed7c537059764c069efd848c60be6d9f5938b0068323f0e7f6b18a5ffae30ca45c8523545335610fd49223de

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4883cd760127df3fcb1ac2fc1bcb073b

SHA1
173bb9e3ddf164e7a10ae811d919e8d6b3c66885

SHA256
783969a74bd600f830e564a68ed1ef833e254bb21fc33eea18261b60dbb44035

SHA512
c4c0643596ecc32caf814c4dc9ff9132edea6be0c9f2094698e5139daf36c16bfe00adb186fba1794ed9cf704d821e94114d4e2866061134ae7bbc522d3e62d9

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
79e6d621025302836aac8b032f3968af

SHA1
1992009ee59c71938732372874b94f7bcbbd2cc3

SHA256
58cdfc898bf15685c1e753b85baa75a38bceff378fdbaa1c67aba68c1fc94bd2

SHA512
77cd114ef0a200a3d552f37463e0d231430977b5e0cbbced143fd1db53599e29138759ea08dc33f21991faf12af5709cd6b028714b84b3ce5cfd2b3efd11c833

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1ec2d458ac822e096f5926f2481e2fc0

SHA1
167fa3e0b585386f5667afa95765c1541707b9e6

SHA256
34f2f7dbdddec37f840f0772b07d1aa9db256f9c8bc1ec00735bb1076fd2ed20

SHA512
eda2459de6a78f480d762dafef4db782bd0937675ffe9e26331a3b4b63faafd873eab9b010b33915da80d80c3f728befbdb45a804522295e9df70bb590052f55

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
b907f098a2db9f0a62411a1cae89f674

SHA1
f52d10f375ccef6cf89f6d9b5c4f9fbcb7d3fe56

SHA256
84e58a784e0da1883925c95b95bb593c1f4bf95ef4550d805ea4e2003fc9a648

SHA512
47a214465f5ddf705fa703b97d31a7b0d3b5cd1207de64ea6f47e65b26c5c42f79cee2e8f7fbf3a4a9509c7e10a9d50b60907e4cafba608c2da7eff333ce9bfe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
d81730dcf31ed39fb1c6ea609bd25198

SHA1
ae61c0b90932a3d0e2e9a4f255e992aa0374b168

SHA256
7c5566bbb1ceb4d88f75fe6dbc4e5c3aed0a72b6ab82f04768cbf39cd046cf44

SHA512
e1a6217507b3730cbb2a8bf5408624683ebfb53a86826500abdd164b24a624976bf824404d41cfc101db357f98935af8dc1a1f317707ad7d5b13c717bfbac343

Download Submit
memory/320-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/320-61-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/320-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/320-55-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/320-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/548-129-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/548-32-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/548-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/548-38-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/632-135-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/632-343-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/800-97-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/800-95-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/800-158-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/800-90-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1036-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1036-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1048-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1048-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1048-373-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1372-112-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1432-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1432-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1564-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1564-288-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1908-80-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1908-74-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1908-83-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1908-154-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2004-369-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2004-155-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2060-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2060-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2060-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2060-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2432-108-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2432-162-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2432-105-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/2432-100-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/2600-146-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2600-362-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2800-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2800-107-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2896-0-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/2896-8-0x0000000000D50000-0x0000000000DB6000-memory.dmp

Filesize
408KB

Download
memory/2896-82-0x0000000000400000-0x0000000000A3E000-memory.dmp

Filesize
6.2MB

Download
memory/2896-1-0x0000000000D50000-0x0000000000DB6000-memory.dmp

Filesize
408KB

Download
memory/3032-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3032-372-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3108-149-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3108-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3692-118-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3692-222-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3960-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3960-375-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4548-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4548-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4548-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4776-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4776-371-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4788-374-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4788-166-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download