52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
149s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Size

1.3MB
MD5

8cc353c3520837897bd84e5b12172cb9
SHA1

41424ee8bcdb2cafe9914cd2a6df29a9a7fa8feb
SHA256

2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab
SHA512

9288c0c8a8924bac30748c6c3e436b46b93d42292745ed5ce667aeab7bc49c156706421b51823d50e48b9e84aa712fa46edb940ca5e8d27a36c34c30f0683106
SSDEEP

12288:CFeiJw/9Rrw0R1u4V/0YG3wx6EcJHUEhPUotFZr+1izHGNe8jKk34z:C6/TwSfVcYG3K/cJHlnFR+IGNe8j3Iz

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1732	alg.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
1612	fxssvc.exe
4832	elevation_service.exe
4720	elevation_service.exe
3664	maintenanceservice.exe
3116	msdtc.exe
1604	OSE.EXE
440	PerceptionSimulationService.exe
3248	perfhost.exe
4732	locator.exe
3532	SensorDataService.exe
432	snmptrap.exe
3376	spectrum.exe
2792	ssh-agent.exe
1300	TieringEngineService.exe
2148	AgentService.exe
4940	vds.exe
1008	vssvc.exe
2892	wbengine.exe
868	WmiApSrv.exe
4896	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\System32\vds.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ce5b43c365f51a6c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\locator.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\javaws.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85500\java.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009895880b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f810d0a7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000997690b7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd32e0097d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5e1b50b7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007eaa7c0b7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe
4712	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Token: SeAuditPrivilege	1612	fxssvc.exe
Token: SeRestorePrivilege	1300	TieringEngineService.exe
Token: SeManageVolumePrivilege	1300	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2148	AgentService.exe
Token: SeBackupPrivilege	1008	vssvc.exe
Token: SeRestorePrivilege	1008	vssvc.exe
Token: SeAuditPrivilege	1008	vssvc.exe
Token: SeBackupPrivilege	2892	wbengine.exe
Token: SeRestorePrivilege	2892	wbengine.exe
Token: SeSecurityPrivilege	2892	wbengine.exe
Token: 33	4896	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4896	SearchIndexer.exe
Token: SeDebugPrivilege	1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Token: SeDebugPrivilege	1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Token: SeDebugPrivilege	1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Token: SeDebugPrivilege	1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Token: SeDebugPrivilege	1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
Token: SeDebugPrivilege	4712	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1324	2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 1780	4896	SearchIndexer.exe	108
PID 4896 wrote to memory of 1780	4896	SearchIndexer.exe	108
PID 4896 wrote to memory of 3484	4896	SearchIndexer.exe	109
PID 4896 wrote to memory of 3484	4896	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe
"C:\Users\Admin\AppData\Local\Temp\2b802f4d27860689db050439e05e067bc7e87dca596fa28765f4e3aceea2b4ab.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:224

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4720

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1604

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:440

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3532

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:432

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3376

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1548

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1780
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e205a299588953ea5be8e2fee2369f92

SHA1
1851d860fda80a09562ebd49047418fcaca605ea

SHA256
0d62b3a7ee5e369ede0c8a104cf55d9e04a5026f65a28375cde7e0a6fe4fda29

SHA512
1e474b2e1b51117d7f85750c8b3b83a3b915303af92e12eb6f1ed56574d0813376aa2ab3c22e9eeb839cdd2405742584e342c3ac5fc7dee9a89b960fc0d06e36

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dc79c4c61ecb37c2b6e1f85662ebe579

SHA1
eaf4c336fbd739997f439c78e12d2d70ace3f817

SHA256
5b37bceea4a0f4feb896118cb7763aea321be546797918e74cc65920e1c21130

SHA512
6309fd46b135358dce05262018ff93124aca9a6a30733f2dc826c01bc7c8349c05bc2cd79e98869e3d634c9a78018e2c55205aa87bc02b49c62158a6efc0344f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
91203d80ec6a04629bcb2788dd5359ba

SHA1
0c3464f30e2ae5eaaa86b9d7dc4bb97743dcbf0f

SHA256
f04e41a51c254955e67ed207cf6809906cb752ef8e3d1676c3b118f69b83665a

SHA512
d71c5789f306caca25dbefbfd950d0403ed06fe87098b562bbf2640eea5617cc7ac2f3130f07965d9d24171c5b854332164d30f2dd04d35a64d9969d3e6ad01d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8f722021472ced7e4f65d2c51d791d26

SHA1
054c3ba80ffc093e7c619f287512ed18ba528804

SHA256
25df790bb300bd9e4c3fc13bbe80f37f28e6c648c3fa5bd6c398f8f52b5958bd

SHA512
afda65c2b565c2e6f811b36065a4b73d7e91d9fa70e2b08b33807d4b9688c48c3b786c5369f4a78b6ea419f6e2535c24378da69b16be90af147688d6d99b99fb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8848fca0a70068fc374b9ff4148d38ed

SHA1
8edd18ad0b7b1edeae9c3460dc287136a1cae33d

SHA256
af84cca6b9a4967690a2290151dd2da6fffe94985b14af50ddcfd12d1fb781d0

SHA512
edd9b5eeccb2d88e40f6bb0891c422a3449f58549aed1666a15a7c07b56d5241dd01d619d3db779ceea404da56097720cf75dc8e762956bb739816ece3af7d11

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
c627b3aefd5453d68633d41b6646376b

SHA1
5a98829f7b40f68413a428954256ef5508480ee2

SHA256
88974e52e1f30f4772145a177d063c1fabb9bd6a86fc342d0b2f2654d41c3642

SHA512
62523745e48f512adb5edbcf732293d032f1e4bf103c03f8058e3ed0e6c1c57e0b6e94fe0a0c05ff5ab894e3bd0d313340e992247ddab348763682f6b2d13ea4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
05ccaab08d6d6971246fc8aaf79c1c40

SHA1
21c4502ff23f1f2090bd279787a69c03b9764acf

SHA256
ce5ef46c59149d79935dc670f875a7989e0f61d58149a8335e71d523cdba6dfe

SHA512
926de89e1d00f867219bdf64aed747bdecd0f96fb6e778c14aa042c9da674965e625a070b55ffb725a034f93dc4994ce6d5891076de3ba65f23e39a7cc8d6718

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8a8def579076ea535e485b9cde0735fc

SHA1
44866cfae95091dbf4cdf760a59bef7518826a40

SHA256
f31ffdd46975be448f8ac61f2aa07f76779f56e2c244ba11536e53277febb01d

SHA512
de63b40954a61db57ea9ca7f78ca8fbbdfc57b61d49b462ec39e6561859347aea1b7802322ed6cccb7f42cd77af5d89eba95c94cdcf0409e5f0af251b6921639

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
279a08d7f15979aa2b010b67cdcb19eb

SHA1
b8f2e1ccb0533c14fed6b7f56428b95be13057a1

SHA256
1c63ba87a62b3141e118e43bd698430dc4ad76871c1d3c6c23af81d275047416

SHA512
55ce80741eeb94a11c90e3b30ce4913a70f3f9f48ba3b341ada0cbd2900371eb6a17f3c74379edc2d6c66d6b8cac7e328eeddd5f4502e62c4ea1090e9e82e121

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c5d7a9e4ed131141156f1e327683e1d1

SHA1
147e46a1b9e2fb3c101e2aa999291dc368dbdbf3

SHA256
94c3e307b6bf502402e3218df0a86d336ebd4150e193707cc6e83a8466f90c7a

SHA512
8f7e78db5573cf6b5021c2e5e0228bac7431762ed6c937df8a592322ed8a5cf0935eb5d62d5ad2d491cc5d344c52aac98590cbf978e68a174fc3f67e38613756

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ca1884e40fb64ad2097b63b5bc8c3ca0

SHA1
acb5c9cf6286af0c3d1e099b42a6dfb90dc6693a

SHA256
609f081458c14d2f34f7bc825f0f7c8a434f5cfadff95efc1f68d76d8e28ea09

SHA512
07efc3c505a0edbb56540f2b3143d0c5d5d234318ac15dd23ca6d2f28ed37c986a2518f6ce187e7de3b1c06bb7e4a1cc2488f659b663a8b944a76c2e5118e8dc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1c8a992f3915af33d3530d2f49cd6c0d

SHA1
d69ca0fe29a6db67e5b5daf68e249bdfb00e80b1

SHA256
5218d9e61090ca17f736d635cd3c7085f1038573dffbccb205631f54049ff9ab

SHA512
57400c61f1f04b8a74448271e8712ff3ae9bea5debc3cc9a2a6ddc5b1bbf158e3c636032be8321a1c53918ec163a0aa68ee9c039467cd1e775ecafb7f817c083

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
e3ccd4d1ff19cb7dbcb219e556a3f0ca

SHA1
241433414e0d2e6077fad7d12894c24e1a36d196

SHA256
56aa141166a2b69fe514c5baa68a6d36099c3ef5d9f12db901e4a3aecf3caf61

SHA512
cf99b0f21040fd7dcc5b6711f20a32a0f8562338a0556b87c608f5a8f54270257dc43bbc5402a275c1636ef191d501000a2259a570405b426a1fffb6712e1e40

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b26905650a6fdc536ef5bcf0abbd38c4

SHA1
30c8c7e0ddd617833b7385856cb0be261387797c

SHA256
4e431db9104d7432375a2ca2b44cbf0716b3c853a142ef2c8640a2fc9a0bcebe

SHA512
f0e60f0dcf68728f853090922c5d2ed0ebfba3e45fda1ff06bd0c8d24af16a4886432dd732192e96343f3056dbab21c33ff1c5a0ff6ab44b460eed2559e1996e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
84bb35001d73ee5e4eba0fb31f9e3d3a

SHA1
ba7fc1e75e5c26426f4d712736c3b5e1e3cf9df5

SHA256
e4dc0b199d4e87f302d753ab9ecc7d4257271fd5b57fbd676e0feccadb266fc5

SHA512
50f99163eff7fd7a135364e2bd8eb859bebcf693581d904d109a5e86da2ea10fe3446566b5027d552aa35939ece576ea74da8d53c4163fdb58845f022008a1d7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
edb130add2a5964d01dc2ba68bf508b2

SHA1
1d651ee76827d73b2b08019c352783e921c51a73

SHA256
c30b8137e8554c0e0c06dd31f5aaf9e9610acc0bf29dbc381258b9d2d96c5d02

SHA512
226e4402ec8e69b7779e64ed4d4783eb4a64817bb16b0d30cfc70d24722197fc4cd09de0846ba14ea337207c85e44f1bb84b6166ed97103c8c37e6143ab91a61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
50241c92f9f54c64d6ac14e245dbe438

SHA1
3a54a53bcc4f8d24fc2d60dc33a7c4d92d1cae73

SHA256
46f5152b82ec3567eea4dcde5dc0b1b74ebac974a90d522036b32c3239f84f41

SHA512
6411a93c383427bd0ea6a4ae2aa25d20f15ce2cde39d7ad97e3550aee56204c01c6a079d10c56b090ea5981dc7785a3f1b84bd95d98db40ecd486c74ab7fe096

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
f8e7ff7c1b550a6c9dd264e01fb0a205

SHA1
899d2b45d49dd51edf3d88b3e538297a86c58c8d

SHA256
a8a5bc1d7f5df915e16f544f861ef9f18ac8fddcfb34b3b69b1d603fa32fb51a

SHA512
ea8010d0f2917d6d119a8a6c4cd208a09ede541ad0b9beb731a1e256d85ba427acdf8c46c4d39b019e0d13cd9fdf2e319367a09e35e9042539b1f8df507a1feb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
9d1857b63284e93fe787e4c363ed93b6

SHA1
b556837fc8cfa09bd8bc1bba53d3da382980dbde

SHA256
0a3ee124ad67743262741738b70addd0d010d7b1045039af93375d4911000d91

SHA512
005db00a5f0cbaaf4a41fdd46e60fe0471ba3ae7d28ef4134865983090fe88fa726e0cc692ede6d7a74f0b5eecb7a167f951a671cc167bc06e480febe641cdf3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b40160da9fa918d00949ccb596477629

SHA1
20b5ec9afa7423651723fdb4f1e70a1d9c07617b

SHA256
02bcd96b50a1a4d756f0b19418c755e4eafeb8508975b622134f59fe9419b462

SHA512
f87b5f8dffdb1823951cc5dbba75841554f0c2fa9948ae946efa66359fb2706577889df4ab6ed702451345b1c2316a24fbf9bd70c9062ffbfe950b1eb457e98a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
b8603602167291e0d2e6d0941f194e32

SHA1
f20683cb8ae6a45277b74af60e1ac5d54b85813d

SHA256
482bf491d8e38488dacfcc2f0b516b48f0f13fdd05c5248cac4f8a0ede6d95ad

SHA512
1740f2ee167942e3465d8f1b928b3f47103a82b7999d1ad579d6bd3c56c10afe4fde4c91ae62cc422343123932f88c11b2917716f561c11895fc8b80ae33a41a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
ec7223966414dcefee1b9882cc1ded6d

SHA1
c355a82756e3d068db2d417ad8a9d729b1166640

SHA256
aea356628093ff068e8b7e456aa842cfdf77c1327f3b661a7eae09ffb904711f

SHA512
9035e890c7ca09fbae26e4aaa84eb63cde61b8f8e0ade4023e4a4dd155c92c2d4b938d695190c3e85099ce6fb6c868c5c0c302230f2a11659a75f422f74be2e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e71ac920b812a4e880e37279a4606eb3

SHA1
41f18a77ba1935d31857eb3dfaeed04ad19480ae

SHA256
4e4f3248fd8938b38c6f0b19e640b33377ba64769f230f78109fa65d397c0717

SHA512
4a86359c436922ab3aadd43cabe190fceed81861896143aed4834f7dcc74a6f9f4b250ad8397a8e07a5a81ce89339de454b324aa14225f6b144a8b5804355547

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
20fdda4a5c9b0599f21ab0d884de5b8a

SHA1
a82e07dbcfca459ae0b99e3f129e1f91820a9fbd

SHA256
17d75ebb9858effcfca1f4c4f8b86cc6c7c0f9dc9d72f940313f95c7cb58aea0

SHA512
6c6f1d52c3a2d4f52e6d4874784fa95900a43a42ec28d5bbe1f6a66cbd930b30989092a1fe873f3042703cef098278aa3e7797982470104b68993f39319ae82d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
6e15f066e0d70c08e503d338786f671a

SHA1
60b2a64332062f82e4a7a3854f450cfb34124dc0

SHA256
02b7ce6d394a5b07534b367462818ff728c4a6f861aa6fac3b9920cfc2ed15a6

SHA512
5c121862760862b8ee10cb37dd673f1b4741ec7aa33d527c1c578a656e31609555459cea0bc44e435795818aa6386568e0bbce37864af9a61d123dfafd8174bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
1c44d074d618eb21a0e27531733a000f

SHA1
362b2c08499cf424cc92b51dc6c1d9ee22a9a7a6

SHA256
ea17127ed38bbd447dc3c87d5385e2014198177fdd55bdbd0944a899012a377c

SHA512
1df7734266e81bc209915fdd3485303889b0fc5036118e504cfa38aa16b79e06cf50bb9fc893097eed722e746e95a6db76d5876d1ebf5912009673481868ade5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
bc41ece816bf52e3cf619321862442a1

SHA1
76823c32b4766adbad209dbb8978d03f3145bdad

SHA256
ea60bec54b690f48f3646d4be2d2e7631496f03c4682807e33ef2a2f3400cb49

SHA512
c3998e724f2e969d2ee42f385cb5bdd285487e994cac094368c4b054f8ce6f914bfdef4101ddbf26df5b382e998ab6b3823b2d75c2649b2d2c855d13b73f5ed0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
c5d8a23cba4ac55189ec78025fa8ee21

SHA1
57797c960de55be0736a0a348dd9ab43a51b9775

SHA256
0d873a8153f1081e7ffd6dbaeee2c896f46f7ac2672b85977b092f0a235b1571

SHA512
6ece9aa6df6030541143471a649446772588711d65a6e18f2f6d1617b690da9f3b2aaad14ea1d0002db3f14dd6ef82e0ede8bb1c65ed1c5a4a3363da656c8042

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3f945c6179ee254db2b493a945648627

SHA1
98e6aef31e026004c5efe57ce4ee7c35cc86cd30

SHA256
773bd01af0c69f12bb0ab8811c62cb78d310fbac4cdb4f59af2233c2f75ed492

SHA512
b8e53dff8569377dd61f692cc331c8ab45e2847273d7f109dd7dbaf47ab1464167ed38f5c5432b60c914e3c98715b373477d74d37b2da6d906651156c30da536

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3502f8fa32a09b2076a970937b21f0db

SHA1
0f3fc1338b4507556220f64207bf33c5160d4bc6

SHA256
de4f949e9e5aeeba07d11726f565ee8b00912f40791eca8053103854c14cf026

SHA512
2a163c774ae2d1bbdd2dcbe631d7a12d9e0ba0591f3ed0bc7b6be2459bb26e7ff3b9d825cef90bb8df81f231fd0b265989c94650438d72270c63c7d74aa47eb4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
cbdd4bdf1986449efc3af57b76d7771b

SHA1
3f98e48c9de4c7bf856abee9da1274af9c029f07

SHA256
72568925717444b89036b17855b8c52cf90ba5f964b0338d1465173e0abbea79

SHA512
284823a2f6639b4ba86212bad2291c482b0d2c5a5d271870432f6977e28ca7336f7988ee85a8c138c73b8365d790f921411e2ba620a14c59a54324c1f85a2143

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
78c1c9ed6c128aa89963538eb250105b

SHA1
439042e3360e17883feec4f5d46f975e05d9e17b

SHA256
6f5787569ccba7237ac85c9252bee9254b54b7d507a4bc799320a9d187232474

SHA512
8f51fa83442144c5613d1384585f6d4198b81a711e261f44115b644c43e5abe501f746c1e55f6126ad19327b45c0fcebffb30a7059656988ee8e269bfb773404

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f0790bd0cc7a2453aa02b4b2e95cd17b

SHA1
c95b68eea09f5bbf4639f0d729c4d91963300eba

SHA256
42a8a201f11a9f674c680f242c78d0b9c17d45340ac6acec633710ed4c07dc06

SHA512
f99584abad80a888437e5cda4aae0e2c1383c8f90cff64766d2291da9ca4438be775da708f46d0c951b2e51f002bc167a934cbdad5e71e186d55526067e7c188

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
f2e7552639e67e922c08c416ba19e825

SHA1
ee57ad3ea549b533115daadce6a6491668f699c2

SHA256
82e2adeb1b3fee01b016b46a756c0fa367f1e79a1546789e9a2b623a7cbdd4f0

SHA512
d4a94f3759f89f8d4d962b956eeed410a032577647ca35c788eee4f67c90b49abfa1471882e5b585c4f8d2e5332a2952c118ca2ab3e2521ba476239832a952f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
54090ffcb0bf55d65e5419adec9c3b0f

SHA1
64906936416ddcdade288d0987d80edd9fcde46a

SHA256
42a232667eee910edc790ecc1689dfa79dc011dedc2a58447be1620ef88b597b

SHA512
65f753a5eeebcf109915c539a2488f13d8eb383219a524ca5631f3367f97d6467872e37777ab8423bbcf1be6f2f15459a47de07a81e4333af3fc37be1fd73b9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
2655f7598a7544c5cffe5082beef18ba

SHA1
56fab2fe0c78f44c2edfa21deb6be913a55efb8d

SHA256
41fd950c76e958b41e56846124138ec22e6f98b63dd50eed0b80626e015518bd

SHA512
6a8cc43704003c609ac79bb99e120653fc8aced0bf38344e06ccfcd329df137d2496f5aaec8ec004d2144d079950ca8aa6f8c3024f3dbdbcea010b9ae533119d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
552aa9d54915c5274a637aa8f12d6f55

SHA1
53f8108accf0af9628db22d7a90c7a766f588cde

SHA256
8530f31f9788cea66e0389ad640fe776fbdae2112ad8d2ff5a72a92b974d444e

SHA512
68d2679e7d975bf7e59944dbf5951ac9dd9520cdd01e97cc3080a29af4904abd264ef6052e2c1a1c49c5c337e36bd94d86df7338a0022e3ed204c965499768c5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
6a54f71267c8aa1e4f936a089351dada

SHA1
f4e7978251a127d72187afd72a1aefcc2b01a7e9

SHA256
3362cec0d2a5126421ec09ef1f0cc2aa3348ba8d905e3cfd212c5138c7e54a08

SHA512
1b2b4ba187c8f1665c4e14ee8db4d8b33e26584c874e4a5241d379a3f4c95a48af7cef3831a4e6d166a7696c187f575b7967a55de4abd4fc150f15974d32d607

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
165009876ec778e1d5d0133d130cf607

SHA1
c65b42497ee2d2a9fc665e2c3d5f28533b8b1b29

SHA256
591b3a37761b5438dbb16e13c0fb02d5abf86fe213c91cdaea0de6cbb46d2694

SHA512
9fac200d9595161c26a76a04e31e40f974e866b74d67a0d4eae96d3caefec29f00cf6b73e21bedd5c56f228f565bd403aac6bc3196110cd07d92091aeab6f754

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
de5f4469fb0093e319070b97d7b50249

SHA1
12ddd577330a750f513162d862731856e31c86a7

SHA256
6b0adb43cd7beaac399e7a53824c4043af2c9f77252873137a77a1d80b14540b

SHA512
d3a675e821db1a24cb3c53c69a068f1a979c524a085f18c51ef73c142b232c728742c2c3f8eda3fda4b9ab8f69171c5291301bcbd045ac47a29ca9edd28f9fee

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
802fd0d67a1279a1f7b718edbcef0352

SHA1
15fffba2722f30bc4bf399ee9d3c3bf776377f36

SHA256
9fa5cfe00684844a5847d3ad35217c80332d1d8d739ab5e57d62f30ac3bda284

SHA512
f765a1fead4d60394b03846d03765ca2f2104939ca58e8b64b943a3edea09e99492d2ae4e5d07d1727fd759ce0e65ebadc51a3a7a5572c6515f4820cef7947ed

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
20e148ef0d8a1ca1494b8cc59af966d3

SHA1
7e8b4a4fb764bf022d24d05f5ce25661e34813b4

SHA256
1273d33019e5d05b3b4af06e0a7780c33cad90e2a67d890a011c18f254518fde

SHA512
09aeeba63b3275ac814ff394de9bad00234565a3df15b1048ded51416c021ae5621f6bc5526190edbcffa11a2a78abc539f7c3d50c27f8a4560a35a7ab328f9b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6612406f0b0b4a82a970957f9f637d6c

SHA1
37e0911f79ff1835dd03e73d4562351f441a2616

SHA256
becc1506d88a562f76b4097a467b604aaa6ca447557453869bb301097cc3b9c6

SHA512
6ca3595fbf5383476127123f828c1fbe461972c8799d4a1a15fe66c4d8b2a27d3b42994746eabacc68847218fb2bb4ee473baa35ae2152f2ae87d82287577bc5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
cf026dae7334026b8fe5a53f282cf7ec

SHA1
8ce0b1cba4e51818e52dece8c73f1b07f1504c80

SHA256
1a572c7e91f7fb86f1a1b2e5194ed94f694e00120900a5355915d9b0b9c5a401

SHA512
538a11ec897fca3cf06aa93284c8ccbe4b401f5defb9b78a5bf4fc26a3b9c9bb590ae9f0ac5def719b9c88f0af30df2d422ab6d1c508dd993feb3803b4b1d625

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
49fa889b363708150c7631f5bcbeab51

SHA1
1c1cc635b7c0f1c17e37241e01fef3b636843eb3

SHA256
4d4c3a6a646098da1f5ac3975d69ab75503f16917bc0a23f6a73d300fddd2762

SHA512
3406be2df189e294163e14341658ec0ca03d824401e57a28cba60b9dadaf1bdaf1b1a0594afdca921194a58c107983efcf67b1e96bd102ae838babd461726ca4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a592e96261b61b2ae6e7a49cc0bb3f05

SHA1
44f20bcb71f303e2179c1feb6dc8eab11f1f710f

SHA256
287b8d44a04535a62ef205ab403eca68f2e6b773b7e0df5e4a2cf2e4ac90c549

SHA512
a00b98225fcf7852bed3928d7486fbd906b146a02d3e97cd7d50591559cc8d551f8590527ebbb2e02b771d2500b231c24f37fcf8a09bd9a87d407593fbf4bd54

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e18eea64eaf241353ad19f4deb9e3ba4

SHA1
656201ea4526cbf0b7ed1a2bb0b1c8e76f5f1fe2

SHA256
19dde573ce689e00d2255af7d4d781a66929bd3811bffadc1f2e702474b75f55

SHA512
0032148169e94be8ffd14cecc920c05fdafc229791f2852273819e59d6283389514681a70c985f3be73a3403acbf5dcfa56f6d514f7709cb2c8cfaaaa29236ec

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a329a7d6a8f6fd117badb1f2b5760bd0

SHA1
d613feee115e48030101f88c6a6f440af58d8092

SHA256
b5b5aafdd1f5e00dd6299397af6bb3f26ace4589eaf6a08decb693f08ece12c7

SHA512
cb2833492b936aa301b65017a5211fa175e90ba935eec3df526a2499eef26ed620d888ae535c9c563dd43a892f43a079abf06339014e53903d3b331a35a4e23a

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
023e897d6637542ed840b81b2fa7ba78

SHA1
d2fedbfbb832cd1ac39f0b5e62efafee8537718f

SHA256
f57c7905b3ce54f6a01b44d082ca03ab8fed85d312acd7bd44f19de51af221c7

SHA512
6e532783887c5f295ec912ccb6bc4f33450f0d2e93b3c81e88c3a68f85b8c6f5aa430fa9e6a41e420ca53e65d27d48dfd4b35651a5bae48cda19297903cc1b97

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b6f18891cdac3db38c01a2da977b63cf

SHA1
91ecd5e0e107af13df9d55a9b98379488be11b16

SHA256
13fcf117e136ca268646d5868fa4356ba597b05eb8f1175547d5faf906576071

SHA512
4f85f672ceba7b27c0653cd719455c0edbd98f1bc3f2cf9273d6b71d1733805f1695f88c1fa82a0e8393d5bb1720511260615f34d1c4a5a14dc89480beed0fdb

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9c82c60667c422d1a5ace14311e3a611

SHA1
1da2a17123d34aab1d5b0f033f2213ec537de582

SHA256
aed15aff1692c33e27e19d9c52bc9a884bafa6612620f42da6365e08290f07ea

SHA512
4b188de7f3e94336c836f9946ddfa9cfbc5859d78f82d494e301b8cdfc512a0c99bc329572f314c9aedffa4dfcecf5ca1d66c3fa6219a70ddd70ea3811265af9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
1fb0c6bd97ba8571e2c12df95256948b

SHA1
5e37c8278c78e320e8480cd44acb357836815231

SHA256
69fa57508b092cc1a32563434df785b0db11f34172d6fed1d5376c56bead6311

SHA512
99e787e9129cb43b29a8b5bb1af8dab8a825110febabdc34dceafa22a6d2a2114e41adc8fce5715601af1b406efd0e828ab0ca2c5e9a0a3bfe5e3d47e0fc9903

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
6fb90d040dce9fd58b1975a9c44d94ff

SHA1
cb8e741c90866be1b1e84ae10477f13fbd69bdcf

SHA256
eeb10474fdcaf14c6a2e3d7a7c1209e8eec99024df279759d8815f5a877a3dc9

SHA512
a1284b85d70973c7fbf29936bcdfb6004f0dbbdf4c07aab1bc95a690a2beb2e5c6054f37d8b94c69632da376e441be721bda858a2f43e583f91949c3dc40d837

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f809246096e8a52a6131cfced4415115

SHA1
eeb6390e2bfe5b6212ecc21299cf18baf03cad59

SHA256
d163e11d01d23b534daa5026cc825a268549c4445ac53805f6115a19797fa090

SHA512
4201e4503b473eb0028c58b244483655f16017298451548466f28fd861fdd0282bdd14ee70331ea16761a1d69ceb0291280aae3ed3d39d52c75cac9e7dcc24cd

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
0ff5431ce54756c6cfc533a8cb2589db

SHA1
8696ddfa9722b6ed712bc9f107d6196940731621

SHA256
7ddeec82930d133e19d49d3faaa887071628dd15eb033a44cba5500bc3fe2dd4

SHA512
d10019c4e73d328c56c107f4e6ea6bd8fefc5c1c4354ced2b156b4de2922cc6d0e964be085646554ddb7c8a949497364b1c86ee1043a98aa34341ba0edb17ad6

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7e7b58ed4f3c8345db6a49c1ee44cb18

SHA1
2b426605166d5c6aed9afe9df969b6c9efa4000f

SHA256
806ced386479877a3b44fb36ba199dca7657dba4c7216b07d53ea69221304fbc

SHA512
9fe30be138ea9174e1fbebf3f39fd4f1b9acade76aee049c544d7f715bb73f41a4a77222a1bd5cb8113e6c3c596db0a322a717bef86c8a322aa72cfddad8f655

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2825522a1de9be4e87f693792562d560

SHA1
f156fc917a92a55e5bf23e6052b2d3cbb858e7c9

SHA256
89fb22ffd84d8c58faddbadacee1f25d6632c5bf6c1d574188524a59bdd2596a

SHA512
d9a98c10f34d601e5674e25b89a2d6133eccf02b4224f2d74d446dba7d108e723b0b89e1b3345ccf2698681e50c7a5e87d984047ca5c498fccc39c9fe9189e5e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
66b178c74327b6bf1a0f7e11c54ee5a7

SHA1
b96e59c97113714fcb0c53ffd5a6fff13e7d398a

SHA256
570e08c28732bb3df94add28a60fd69174770173f0817323c2f55b067a09038d

SHA512
05fda19a26ce3cb6aa7860ba8a710ac69ed1e9fb67b7689229615b248b06d513c62cd2944b6733dc4fc791e4b331b8dd6267d409c996b96b1b7d6de3a1b923de

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
f82b78dfbf040378ab63b8cb1cb20f32

SHA1
02b7a12f7b5a6aa95b9e44a8b26ac9a7ef041805

SHA256
3ec272f7b10c095b5f11d839003e0295ecf464f41799826bf6a7a6a1d194e31e

SHA512
43a450c3f21786be72bbf79da459bb4268bd9ed9119050c4aad509fc3dbc91ef23b3e14e5348aeba6089e219be26f38e0687a63bda24743c3eb604d02ac50478

Download Submit
memory/432-224-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/432-120-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/440-89-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/440-95-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/440-88-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/440-159-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/868-169-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/868-522-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1008-471-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1008-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1300-148-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1300-369-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1324-8-0x00000000024A0000-0x0000000002506000-memory.dmp

Filesize
408KB

Download
memory/1324-83-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/1324-6-0x00000000024A0000-0x0000000002506000-memory.dmp

Filesize
408KB

Download
memory/1324-1-0x00000000024A0000-0x0000000002506000-memory.dmp

Filesize
408KB

Download
memory/1324-0-0x0000000000400000-0x00000000005FD000-memory.dmp

Filesize
2.0MB

Download
memory/1604-155-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1604-80-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1604-74-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1604-84-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/1612-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1612-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1732-108-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1732-13-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2148-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2148-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2792-144-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2792-348-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2892-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2892-520-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3116-150-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3116-70-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3248-163-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3248-110-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3248-105-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/3248-100-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/3376-274-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3376-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3532-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-521-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3532-172-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3664-63-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3664-61-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3664-55-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/3664-68-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3664-65-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/4712-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4712-109-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4712-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4712-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4720-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4720-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4720-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4720-143-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4732-167-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4732-113-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4832-32-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4832-39-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4832-130-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4832-33-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/4896-523-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4896-173-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4940-438-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4940-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download