293a14ece916b10bc973a623cf264f4dee5de304bb2fb4db4a7ab60391d0134b

Analysis

max time kernel
113s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
Size

1.4MB
MD5

1c9ab5e2799e80cff646a8d5234f1530
SHA1

0482d1aee22bcf8733152a8498095667369c2dec
SHA256

293a14ece916b10bc973a623cf264f4dee5de304bb2fb4db4a7ab60391d0134b
SHA512

43d4ebd624562f719f7710b1b0a6d9f0802129460fce9159bbb94c0a5ee58fb70ee01420f8724cc842a2a177f930d8b42ee66639b90e4b8b33b3d825036c376d
SSDEEP

24576:7z2DWYlEKSlCnFx7PRPGqPxMJpt2dETOX49llUD:UeKSi3RPz6Jpt27o94

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3908	alg.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
1436	fxssvc.exe
4068	elevation_service.exe
2856	elevation_service.exe
1380	maintenanceservice.exe
3124	msdtc.exe
4204	OSE.EXE
1488	PerceptionSimulationService.exe
1184	perfhost.exe
4568	locator.exe
1512	SensorDataService.exe
2440	snmptrap.exe
4720	spectrum.exe
4712	ssh-agent.exe
2268	TieringEngineService.exe
264	AgentService.exe
2616	vds.exe
2720	vssvc.exe
3748	wbengine.exe
1220	WmiApSrv.exe
1412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c827d4f57fc53c59.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe
4108	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4996	1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
Token: SeAuditPrivilege	1436	fxssvc.exe
Token: SeDebugPrivilege	4108	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4068	elevation_service.exe
Token: SeRestorePrivilege	2268	TieringEngineService.exe
Token: SeManageVolumePrivilege	2268	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	264	AgentService.exe
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe
Token: SeBackupPrivilege	3748	wbengine.exe
Token: SeRestorePrivilege	3748	wbengine.exe
Token: SeSecurityPrivilege	3748	wbengine.exe
Token: 33	1412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1576	1412	SearchIndexer.exe	116
PID 1412 wrote to memory of 1576	1412	SearchIndexer.exe	116
PID 1412 wrote to memory of 4256	1412	SearchIndexer.exe	117
PID 1412 wrote to memory of 4256	1412	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1c9ab5e2799e80cff646a8d5234f1530_exe64.exe
"C:\Users\Admin\AppData\Local\Temp\1c9ab5e2799e80cff646a8d5234f1530_exe64.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3908

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2412

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2856

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1380

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3124

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4204

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1184

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1512

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:456

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1220

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1576
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  PID:4256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4e359b3d07b0cc6da912b66ba7fcbf6a

SHA1
bd5d91ae0604b9dfae19247b6e09737133e05879

SHA256
11489ca92e4d047e827599e10adce69da023a8dccb2dda09a7bd61e441b2490d

SHA512
a199b044d1615c7eed40a8b800e8e5e80c925b5ccec3473363437d11925e80a1e931015117c45c6e6a6dde64c22d4ad3833e92607414801c045ac2a5f771b4b3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
631cc4a4a884a610f4a5dfd2d98beaf0

SHA1
bc2dd20f5a2b3b1ca83bad3b82c3cbfed2ae2f07

SHA256
251e49c2f139d3bc22f7121f5d00ac6c4e9cdc7fe791f72188c4c3ff884f8fb6

SHA512
7ea7b08492889203ed9fdadb90770649772a4ea51c3f336566b351398ab4fd5c18e612e22db2fd7581f783424f8367fc421c79080f04f2f74d8fa37821ea5c3b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
631cc4a4a884a610f4a5dfd2d98beaf0

SHA1
bc2dd20f5a2b3b1ca83bad3b82c3cbfed2ae2f07

SHA256
251e49c2f139d3bc22f7121f5d00ac6c4e9cdc7fe791f72188c4c3ff884f8fb6

SHA512
7ea7b08492889203ed9fdadb90770649772a4ea51c3f336566b351398ab4fd5c18e612e22db2fd7581f783424f8367fc421c79080f04f2f74d8fa37821ea5c3b

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
876239a2b4ce483402cba202490f9dd4

SHA1
ed92eb6cf7b4281d3bfd090eddc40b1274863c24

SHA256
0459d454e4729a332cd81dd4775b794d5fc67311615b355ea972443dea46ec01

SHA512
f281aa0bce5f1748a0b91f864335d0983accb366a9a5985e4afc2d7467d972f09eaa82fab0e020716ae71bb573ffb7e718205a40972f48edfa5524bcbefb1d61

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
41dc389e0812c43595ad4b169ceeb4e8

SHA1
7120d7d4dfda9229de2b4d4644e706b886bb264f

SHA256
e4429791174116976b48ead4fcaa72fe1dcfb88c0a7a03a0d72d480dc6b725d1

SHA512
3269c59ac4ff989707fffedde4b6bf21c25145a3c7b5881e520f3500c4cfdb83f67e78bad996df470a8270a70e096ae8466f82c00125e73986bc607349fac6ec

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
757e6d5ec03d3bc53dfc5ccd3fd0a33f

SHA1
dac93cd62067de41d360180d9bd49a0bf30d8d68

SHA256
bdfed7e7978f859ea8cf9bc787815cfd4c42b1f9199b095b43b59a5b5b77ec84

SHA512
5d1ce64fc405b97fafc9292adca68b59d31288b9a1704b48953bfa3cdc8a10d92aede1c295fcb01e2a571100f69f19e585d0130db0eaa992e694c80c53e44abf

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.3MB

MD5
55e462783a40ae9e8fb10e361eb5c069

SHA1
86548c6004b3a14edf432ebf1ada47896a425992

SHA256
ecc918fda29ccc205bed0ef69e6f72589917b7a01a19fbf0943ca8176b65de63

SHA512
b637aeb945c7659613dad233c816d92d0b81e650f2ce0e828bc5ac04245dd8d88833ef9dbef3eba1a1b99facd0d5c4d1e0cde93f6924845fe50fdb6f40a6d9b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
7dea8b08b178076143c8e19f5ce92ae2

SHA1
20694f333091d87368e7e4db228937ce7e6aa206

SHA256
87f1b40121db51478648158e7b89f364cb42a9465bc8ce0ebf2694abc711629b

SHA512
d5ca3a68a8f5ac2a25a67f34eb9bd8eda6dffd2fe46b40a273631c59ba2b48386c1e13b9c415b3629e21e66e06b0029fa8bb5435a8b727021073e8707aac41db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
4d003fc1a0e214e39dcb48d21511b20e

SHA1
18b00d80f59f6164120ed0a4d49329fe86f23f2c

SHA256
b5b8cb93c3c98135c40151335ebc861592954bad9b7e49cff11ac4ddaf03d7ce

SHA512
19f90ce427aae9afb06c390e4d0e059c663ffc7e5f53f1dc864e84e12df2b8ab45a7ec7374c0088c04721246f6748ca0408ba1824d32ca9c8d5eaa6d5a374aa7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
8b82842dcab19de4041b92e4a3e18c84

SHA1
00634540e4ee36a11d9c92370ef78ec944097c53

SHA256
34af7c5a2673ec858eb444a2bad45b4b02eb65f4293aaf1f5d9f838a7a8a6262

SHA512
8b525a17e507a536d0b607d03e762cf546d8be14110906174ab789a94722774541b0333dc26698997ce1cad75495ac7da1bb946d99d873aa3310e777bebb4ed7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e9c84f750a638857eb8a185c2f695f32

SHA1
dc8bf029566a44d48c55ec66384dd46a26f9cf32

SHA256
bbbc12c07d2bc7d6633476c4f9bfd9c50d65d28c02ae26c2be0e46384e726fd5

SHA512
83d803f5c1d025d4e2709615c0631ac1478bc92bafccbd2f7283c90a03ea3f396f0d00c0770ac3bbc0dfad823bbc713237b722d0e4614178e83775ffc884cd69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cf6b6ff53ea041e1a793be1f3065b094

SHA1
6be0caee18bbcb33ea9966d970fe9d040ff2bd11

SHA256
1fce9f61a465f6aa7e72b4a47b05f46fbd3e36eb80eb30d3c34306c8d9d9bfd7

SHA512
078525438583bb909e6e1b6e022133ed226aab55e29102a104efb4b28174830b32dd8a9f87d93b2282ee664edbc5a5adb8b8ac8f7dc8823c6d40cee945127b68

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
54adb86b065aeb374017b41c355cd5bd

SHA1
6c45464b6812be8e77c78c41fc5795a8e92b5cc6

SHA256
db4fe4c7cf7d297a1f61a66f1aebeb22a983378807db1e6f6bb9381ccb0f5500

SHA512
f60b71e351334f31f5ae99a4d529a4a0a954d5cb48144932ee172aa50eb84244669fa4d0b16ff56758a5e09554fe477568c807738a93b04ffb666d89e9036053

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b7fd2ab300d33e2e89a5ea8221efdf2e

SHA1
16948c21b21b0cc562d874ab3578aeabb3abbaef

SHA256
c60142146124ffdcf3da70bc306ddb7481573927cb40be109a2975c1b0de3a36

SHA512
794810888ad69ae320c78beb37ca16515433c98fc7bc9775e20c7f562299d566128761699a2fe6a98ff75378dbbc104e410eb852f4b4bf91c16aef86fb9ddcce

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
1e309d3228cf6edd721f8afe72142281

SHA1
94694decef1e5bf93e68d2cefe61bb42bc06c953

SHA256
dff10fe0d8b8e07217d58675dda21cd6e38218ca125035a0ffbe9a3dceb9dbb9

SHA512
41d1a9aa4ebc548a0dfd477362dbcccb7b2fc80411f38dde31ab393e76b222e8d3794973cd13f261f5c383bd8943c07fee8cdbc241a8a6789e06b7768a1604c6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
5151f8946afeb3a4842965a28de69dc2

SHA1
b4fe910e8636d1b00218deb4c0844e72f5cde2dc

SHA256
3e2bcb8dcd7b7bb7eb4f5f0baa7b3855efd2a1af40393f021915060f27ecc4d9

SHA512
1edddd34388247cf529ca1f12a37ee968f603a00d657fe50f5b9021d280f0970c8010a62cd9f927ade4a6f3dc78cded9d6ad1e569834cef1cd219633806de54a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
194f63fd276f884624d7c6d3e5bd758f

SHA1
d3a85ac30717210f97d6e11c9050a61e6b3ba74f

SHA256
996a658540b4a01536a17b391f0b3e0d88cc6227c3e511dd85fdb2042b27f7e6

SHA512
8c1d82a7bc56cbdb3b91937694f32a60f4f9c361b7b009dd4d09a0d1072012c7f1148e98279c24eecc48a9cc68497079beb64e52c539f54dbf44d69199f06683

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
5bd80d293fe2c65a079a810ccaf7405f

SHA1
fb287b23c7cb80e8d84832cbfe64b5dea5eef1fe

SHA256
73e110dbf656cadca4395802e4893ee2b3636e4dde764cb5b12db668713e808a

SHA512
1cca5ecbee73a8c6d1b2d917bcb5a3bb3965dba9f8870faa36da72999a47d85f1b758c131f53f27e8873f6de717144d7dd5018e84e9897f6b5e41668fc83ad6c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
33dcf23ffdee23ebb2bef048cf734d72

SHA1
a0e353eeb1570c36e68f5d1a1af9e2a76a5750d7

SHA256
8a885c7f62ac8e5635b7ce68dca5cd76ebdb88014b7046eb1839804cfdaa2c1b

SHA512
86f8ad8e5d3428e7ae04e0ab4af83e0e7ae58009cb0f137a2232311de8f775462e2d546cff0f5de813931613d05fb97935f36859ae11e1cd50292ef165224750

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
1c482e86d13abe1267366b1de2a792c2

SHA1
bfc93c73087300e835d083c39df332e4082117c4

SHA256
c17c2714b2c20d212bc44890ac74df58f3d5d1cb3d6686ac01cb3009dce724db

SHA512
5764713e0eaa2dee2ca07e7c2f1bf7aa5cab79bfb136e43a4666a0cb6b2d4a1db141fff4d93dcee060544e5ca09502024eeb0fadc551ee52da27f55e16ac02af

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
b45ba91a79df2f561b857974bc508347

SHA1
669de5dd38c5f800f940a72d90da0c5d26be765e

SHA256
b24a197a14427b6a4a810785aab953ae5a7762b139a0a08714d688f46f62419c

SHA512
e37eca2336cebe5ab8fedeb962831081401312528822864a5a327f00a2971204faf9669fc4814332d71521ff97aeb7f70553519868faa55352d2bbb9e72b351d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.3MB

MD5
4efd195644b21802b0377b2c5f547386

SHA1
b17cef58a33512a040674389d1c876f441c915df

SHA256
87f6470f1ffbdd4713145388c83501a6fc6ebec0d51b97a16b1ac0d858f275d7

SHA512
eac7e8088317c181ea0f2c2445b534d615822b2f429c14695acb5d8b8e0b857843d4cef0c15d216261431092a2a96dc883fbbca97e4298166fe772e951bb242a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.3MB

MD5
d81eb91ff9811c7bb73bbbb5c9d21ffa

SHA1
465d726aea9cce42a518f95d515fbe33bd064972

SHA256
8a96a4d239d16cf795af864fa7b35602f822f21c2ab9372cf8c79d2f15d25218

SHA512
5664c101d1dea49e20065f5184af110c9f9aaeab6d5d05973de63d9270a712884587c37e3a37b19c78fa49178274c3713309f36b861e096bfc21273fbcbdf20c

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.3MB

MD5
5259785e0cb4bde864c6e5155e5d48fb

SHA1
119deab1615d2fa5892bb2eace224421009b3499

SHA256
b94ea0100739b03b784576e7b74f5fd3e60e4f739ea60fc41d5a36a676bf7d70

SHA512
c58bac2b9f5f537a5b714b4279b2f9ff7a3706ed3ee01913484b86774b66d9adeebd70a9e1248465ee7499b691e27300c3be811892c5a67c3deec0f8c88c46d6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
5351063b3a4d6a4568a5f05c545482ad

SHA1
5d8f4ce6e74104793b109efd2b2ba37d49ba96e1

SHA256
e6271492af4a0afb0f084e3ea87709207aee4156c20b7c39e224587c5556d5db

SHA512
114d03ae8c1b24722330be8a0cb27ec982431882489bd8e44bf75cb2b94d65711515420abd9e5292443aba5984a824d52d7c41156f28e38707202ddc815d878a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.3MB

MD5
d9cf06cd13fbc0df03a205324f47f5e5

SHA1
981bcca882f688af4c8381bb4f4c8d56933e750f

SHA256
051e10e999990b40e0adb3271352c4b10ba6029700f2cf778fd5434d50f2edd5

SHA512
25b5391e3b689827fb07c5c5a81288f5b11b19001b29b92729bb485e070ab2beae87ae2268b2d0becb9bea5bfb59e638608755ca13f7644ad20ce000a4c8bd48

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.3MB

MD5
1c21f0560aeed5b5a3aa3d23b1286041

SHA1
3b6279d0dd7861acbd8573b90688157afa213890

SHA256
d7c559908d441c0a42b19827f8951191f03024658adb59368b609b8c104aea33

SHA512
858fd439fee7f917e8c1e52f274cc860bb7a8ec1ec4b0eb99a4898857ec8c2199021961c42054d334d443beb8ac865b95488d79e7ec4eb4c7ad288a10b3816a6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.3MB

MD5
81dc54f1b5b3cf3287452ddac2a6e984

SHA1
40d6adff5dd8637be710699706d8fe92c88914ba

SHA256
146d9d748f853eddb206fa8388fc3c83c481814fe4cd1385d0bdb375024e0884

SHA512
cd6388f70ed9fae1421d8281fe702adabec13320e111dd68f98a9757eca8e7fcb09afa571b2936a9529172562a316c727b8dc0df7d12d596212c7381322079d8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.5MB

MD5
1da4e1bdaa37c7ed6b4dec1e052da09f

SHA1
41ce8806b31f5d126a613fa19ba5308a8aaf95e2

SHA256
9c9a7d5b13ed93a18de2b63465782d28d9c13714c0f526a8915cd8df799dde63

SHA512
20b0457bfd8a4801742fa02b3ce88025a93c055df0773ccb716b68f380f5b03cbbae8ed481fb3b07a53083c885fb846e5699188290080a528331643dd76dd05a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.3MB

MD5
77b7fb4df4c7f044ff2946a23831f7bb

SHA1
d59d0afa77bbfdabdc701b685106db865d29c7f8

SHA256
74bbbb40e87c44241ae66d5dcebc4b5846f1395d94fb6f936f6f89b906e34f74

SHA512
95388c3d3dfbdd54b96ed7bf0e2430f197b426c13cf0cb3b6e152e83af59e2c0c9bd028932d2978bb0347604c40a8505139532d25edb40284552c08ac1fb95ae

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.3MB

MD5
e76d7a0dbdc8c9d73f8df83e85875d14

SHA1
d4d5f8a856633b94de1e7c19c1125dbc54d7e596

SHA256
05cca254eda6041968309fd079e59d1860c482677dde3f2864f903272888df27

SHA512
d872e9977fa4d0d5500a657a644432863a37070a3d3b759974c384b7d0719a2120d82e891a27f8d26d9b3e9e60e3cf21a1f7f6539002892d51a8b0deccdf1f5a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.4MB

MD5
b88c3e441071c17d41f3c67a416ad4fb

SHA1
d14c29e45ffc7d72a1a835ce666c710a3b5bc4af

SHA256
2de2aec95e1c67e965df7dd80dafdeda8241899ee411ce6506b290bebfa540bc

SHA512
d5bc78d18ec158f16e15d66b9bf8b15833aa28d07b584b7192aab8b99802642a7930617b571bcc1a64f12cc4ff60b2f4d080d6ae44fe01b973833891bb4054f2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.3MB

MD5
e338089ab51eab30025660c01fa94336

SHA1
3db4707ca55821ee3ab0ba240987bf2abc303605

SHA256
96968eb5f46433e0f222fb88ac4d285a15feef6430f85d1d3e9a4e99b686589d

SHA512
c40f666250b484af636246e1c53320a12569df0b19886e94f33477a469b9e70bae93ee3ded8862f649e057b0af64b36ef502b0dbadd9e4e81c45e890557460af

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.3MB

MD5
ce58e96972fa7d27caba4089f5eda11f

SHA1
98ab3363cfb741ddc592542f834ed5519939bdfb

SHA256
d65c32fb824fdce291e5909c24e611f1b9af8cfac54ee5f4b07ae955b031faf2

SHA512
0059d588d4d1ba22af40490c317481400d7073ad5865880fe2263895e5a5b6d9c23c75abe17e436e53dbca515ed243bc174bfc9ccb6300e1d7274604327271de

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.4MB

MD5
1d9ab82bc8b90ba4da0f91deedac0b02

SHA1
0b0f4df376d0c60a79277d30705d35e6ccb6bb02

SHA256
0981ee606aee0a395b889dc42ce0554e982d07c88198b77dd82d25233771e2da

SHA512
882284985c695e226d2aab3268fd44f183ec29b88767d142d8acf2995d29bc00892d29430275e2d874eca819d7843c20aff89b0a1244d8721b7c669902fcb197

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.5MB

MD5
8f1b11e61f12669f451bdfafcb053243

SHA1
c7e0661b1743eab8206e6e131f46d574169ff1fe

SHA256
7e31315ca6e8854dd9967cd2c63a046a1996aa3aff80b83dbfb56700dcd31434

SHA512
3d7cac34c5078987787c40fe2366f18309e4eb63bc8ec61398fb76ae83030d00974e2933c869e2870a1d7ac97e6f3273881c4668a6902b816488bad72b0d4190

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.6MB

MD5
ce7116ff0e88f7782b87b54e9cd2783b

SHA1
f5b944bd392dd37fa041036c0c2978167f4487f8

SHA256
7f3780c92933715dd6feceb0fb976203ad71cf64353d6bc208c7fb975d593b86

SHA512
bdffd1870100bd5b4d64606a477f0b4b77843c9bbde1768a6e4f7fd528c049a3acab5f1d1835ad4a31b806c6fdd03c511d261087f69af4878759b5ae04d11cf6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe

Filesize
1.3MB

MD5
b7a7352ad573f05cd825e135514eca28

SHA1
342ff7be70a4dd9bf6b58db6e74379cfd1363fbf

SHA256
aa4ede3053742f92791e855217e7c7ea28996a58f23d088ad3fa0504aea9d5d8

SHA512
9e3c1b11c24bd3d3e7d1d1d2b1b85905c2a1d12c74a0ac00dd381604adcdedf7dbdf9163ebb341a833228b8598d56e5779b6f793aefa5acc61f0e673706d0d9e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe

Filesize
1.3MB

MD5
22a38fb876c32bd4266fe690c120db4d

SHA1
06ea712e9467c3abff7465e197c8df846e42cd73

SHA256
d4e1d8c9f442dfbf0ccd83e0cedb228dfd467ba3486489c3c8b433cb43a5e714

SHA512
ec923a047dd5841a0526b9a273aa4a23e2e5cccfb441c0e854830c1b9a2b6dababba1aa232914bb604e72c69fef86cf11e9cbbfb5823415138da21557179389d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
3bd571d60f975cd721642bfe43f0a5b8

SHA1
cd111df29fc225962f89d359bec128bd8aa3d256

SHA256
d936b4f3f3e8ad6d187be44264ec2b0791bc8f50538e9b49257b7e5f03682d3f

SHA512
5b028065c837b532b7a35ab1d35be8cc3cfbb806fc3fb07b6ff8624c08aa405088b58f6e95f144513aa1aac23ca684cc7afa66fc82baa9b5a3ca00fdc77654f1

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a75412fa32ba46d4f868b4d8765dd3be

SHA1
a53ff523c03ee99897f00dd02c54f793001bc05d

SHA256
b586ebec82078e2421860bfd373b4ce3eafe2def691f5a80f893571c9b88f6ba

SHA512
155331d7306330d32314330b3e6395f8c1ddfb90998646a7b2fa8f8f840d73131b00685e098451da7b7b28d4f6c40a46d05766c6214bc5661eb833bee4657e8c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
93cce36319cd75957276c985997707c7

SHA1
b314c7d3f127c21f056ee027f105dc1fa68235cc

SHA256
f7da66a58fbabd5f63998c32342ad2185ac5bc6f85a328a631f960bea76e242d

SHA512
e1ca8ccd0c7614f9cb97c9bc8b91fa7e407c8f1203c237c3d65ad07a53b522a0329c98204756f2d95971ae0036f6f860e2ffb69e8c542e3693f7f938c0b309e6

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1c01e65b19ddc949b6093d802716f523

SHA1
b815c8277d3881a826915923ed6427b4587fd176

SHA256
88c9b7a3ad38d35bd4ddee776c4c9b852b02222e4d128242e86f53b74b3f6def

SHA512
2b606f576763a363c6b95dc07ec6cc610c9c15ef5c124c3d67ef28b1e825b6a812cfb6b0c39888ec618904ee7be0008c4e16c16e79de87b072e73cb826c1e757

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
bb61c49f2a27c1fbbda9aca70166c33f

SHA1
dc3d9b9f21d044d844b8cd4746db7a26748a84c2

SHA256
22671b756ddfad4a240d38eb7b49ddb9ecfe805a6368bfc6a361c9f7439c78c3

SHA512
a0bbbb64cecce4806b908f490d19c8743c6e762064702c115abe7dee009ea8328bfd9136e747a19d410dfbd05d6d3b6ec50c11cc34cc5ca5cdb527067813902f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
eff26b2eb3b20abbf49d36a7faa0b7bc

SHA1
aad593d9c664ba05910e62baac34e57adc78ebd7

SHA256
ec18ab3a18103540c38f4378180e8dcda3fd62167111daa635fbfc5190551a1b

SHA512
a64dfb9458c45079a1aa8b9bac91e7d21617e8ff7131c27335450f48115337bf5fa428a230d8d667d459ade97d27114f94a028367d3713c74ac655d7794db253

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
eff26b2eb3b20abbf49d36a7faa0b7bc

SHA1
aad593d9c664ba05910e62baac34e57adc78ebd7

SHA256
ec18ab3a18103540c38f4378180e8dcda3fd62167111daa635fbfc5190551a1b

SHA512
a64dfb9458c45079a1aa8b9bac91e7d21617e8ff7131c27335450f48115337bf5fa428a230d8d667d459ade97d27114f94a028367d3713c74ac655d7794db253

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
511864fb6582710b8496e6c958c33bf8

SHA1
bdbcd4cd7d06b4ddc403aa7a2f7f5caf4bf57eb0

SHA256
c80be82ddf07095628810632d41baf5c10504ec118dd94a3060ae2f64f782f57

SHA512
06a73c320d9dd1f9039b2e4b81841f4c2b3d5fdb656a919eba0aa3f5a859074bb209cfa9f99d48f520b0290cef809ffe7d31a541cbc682a46e562bf951d369b8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6c3e57cdf664ddb68faf6a7edc69aebe

SHA1
edfff2b22626d4af7d7d1ea3d8659dc2074f8921

SHA256
333aef45977e9c3c29504dd806fda05982ed388e86a8154559ed9fa14ae4e894

SHA512
e446e3cd74f68a860f65a4ccbffb972e01e278f0c5c8ccb6810d75f7397c3d69633500f1c69f28eb43442cb609439c9d4cd3c67e008e690c20ef373f21e1e8c1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
99d6a2a283c563021591d69de44c2a77

SHA1
4b0f4522a457bdd0e13cdb38828e66fd13c6f0a5

SHA256
b9e28e3c87f6b2c2fc3fa5517843eeb8816f1351815652135be6cb13d8b7f8bb

SHA512
93e88ec372b5bf9344bf2fa494b59515fbd3ef5c3d3f78a83eab8f5b018bd98350200b69948265d2189a348a0615cd26c6b9830f129ab90de61861cb66099103

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
99d6a2a283c563021591d69de44c2a77

SHA1
4b0f4522a457bdd0e13cdb38828e66fd13c6f0a5

SHA256
b9e28e3c87f6b2c2fc3fa5517843eeb8816f1351815652135be6cb13d8b7f8bb

SHA512
93e88ec372b5bf9344bf2fa494b59515fbd3ef5c3d3f78a83eab8f5b018bd98350200b69948265d2189a348a0615cd26c6b9830f129ab90de61861cb66099103

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a301a32077055ca0109c14ae5d87c411

SHA1
50c699e00317ac87e66d8b4bdbb047cd7619e4c1

SHA256
a9b823e0a5c06397d4149a790d14d1946fee1880331519bb6966bf78f5ca266d

SHA512
da3e6d58b970fbc61604dfa185f4a8cf93f838706f97388d9c87bfc0ef1d641278b0cb3831d2fb15fc34a34f9a6b16230025dc0062b6580b2b6162df9e5e7596

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
587b4e8be39e5a9a6550b158fbb6cd86

SHA1
76d9eab6e4987b846b32bbb7036a9ad23bea7127

SHA256
91f8aa2332e52ecfd321f2485cd556c561f466475a0819d4d42a7c6faec81f6e

SHA512
055de7de45c6716df019922ade1ab4ffa63a14fd3cdc57092b8776f6fe5c3ce627f2ecfa3094a9a7e081088b5356ab6058b174c0063841c6cd71e4b3c8621455

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ac768e2165e33f48c3f2ee474d928e90

SHA1
89514000ecb4edd3319572adea01c427c078d90e

SHA256
c87a8a630c482e6078bd0cfd716d5f5b6079751b4ca6f74444d11cdbf8ced5a7

SHA512
535e4d96a85cc14b3914bb728fc35be9da4198960d0a6fb1257fe933dde6efdaa3f1f054febad5d700ae44ab826bb6525eda3b604c078674e5a68c1c47a34b5a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
17e30f04965e154a69f68c9ca3dd87b4

SHA1
e3dd6a473bdad42353418e4a2eb70c415faeddb9

SHA256
b2064bc9e4a44499f06d24e4aa2a7a045b53902f6f4dda9d63d8d0dc4a2e6f08

SHA512
1e521f9a808138f8a268c7b80bcbb031887e5c48b1383f71dcf0ff61ab5cf46bbe4446e9cdf4a91c44f203bb469e4910b3dc35a2128693bb24ae46d3d9c869ef

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9ee99b991c59bbb6278f68047bd3aac4

SHA1
7eca5d108b34b72337110df6c4f97f146fa3eca8

SHA256
d7a356fb84ae94a2eead0a7aff7c7aa802a084439261b207c0abfa4c32eae69f

SHA512
2b1ad5106677db553c3c8f711fb309a9fbd4bf03fda651a997ee34451f209b7445eea3bf241a5b20ef464ac319ee35cc8187080cf7acc8535f6c87b8e86cadfb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
386602c993d638dfbbbdb03e793c66a3

SHA1
82a857214d537db7eec9687b0b3b6d2aa0d34a18

SHA256
1e680d646960cd5328bf220d9b871e15d39c2422d0c8f6e10e3ef90aa3997681

SHA512
a9299671def28213d335ac2e74348e95114794a9d0d4cb6471f1ed17d9809f81df97e52d79e553f2f0bd47bb80640715db93294b8c9c845208042c2565dfbadc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a8cde2ac5a9f69fd677053b0568f3fcc

SHA1
3d70081a640e17df88b1d2b78cfaf09881b0437f

SHA256
0913798922d7529064c3cc7d30283b553cebe1afeaabfe66070aa71228eda793

SHA512
93826cf6ffef1a4e6faf793124bb69c204eed7a55a64c744d684962a76f1717cacd93d75449a7bddadc61cafb58c1b571cdb5427b1b9223457c424c82b8ac0df

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
5ee1cd330e25a508f670c58e81b4ba47

SHA1
b2ecce217f73e587640d6ea4a2d50ef106942a4f

SHA256
c0be9e39d1331d781edfddf99c934b668ea3485815a59d3160bf92997cfa7366

SHA512
2463e32134f4c7965a36385d9d18380852341da7ce516dd212644bedafd60453dd6bfd2e3133adf9a22298110273dec133001312167a5ef294f8a0f20ee1843f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3f28b1eba028ff1ae9aa6a577cd45b9e

SHA1
cf516ab4612e38a892b192b7a7e1f173f04ca8e7

SHA256
9e7618b7721e062476c621bc8edf9d0c65b06929fd393617375535dcb8584aab

SHA512
573179d5f1c906d1f069c918af779ea877576ec069a4096e8ca19e5390bac5293a8330722743e522f0ee0522da00cb65ce70e2925df88f84c16ac6221a29bcd7

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eb5d2f62f8b628ec002a46a090bf6897

SHA1
f69c471f19a1c58fb754e950616ff6065fadc5f1

SHA256
841491eb5590a812eaf807791862de36e6e318087101bc473b53b896553b2a9b

SHA512
7fff8420d48390cc1365a07b7ee44e6edcf9d88c1a7588e37221dc34c3b3aee1eeb780fb2af97a7494e6259fc7bdbb6c2878c16031b4982ad2e725519b8af425

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
4b7ae66b887e4de6ceee53d4e8620101

SHA1
8a7d1c42ded6ea80a65fc7103fcb79b71b8a00a6

SHA256
a34a3143e22960abaf797421fe64feef31f4ff8e439f2104f469abff6e10c5db

SHA512
563eee8e99a7ba8431b462a135a2145e2a7f6da20c2b459c671d4b46231ae442611c030380469d3d04ed451d5fd7941eec7f76c889df4962130731b8c72496a3

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
1c01e65b19ddc949b6093d802716f523

SHA1
b815c8277d3881a826915923ed6427b4587fd176

SHA256
88c9b7a3ad38d35bd4ddee776c4c9b852b02222e4d128242e86f53b74b3f6def

SHA512
2b606f576763a363c6b95dc07ec6cc610c9c15ef5c124c3d67ef28b1e825b6a812cfb6b0c39888ec618904ee7be0008c4e16c16e79de87b072e73cb826c1e757

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
562381cf5eba87a922f75a8c66e0994e

SHA1
8870a7608b9a6d5d854f32773c7f98c7ba1a7e02

SHA256
97329569ea335d540fb41724fb1be3ff84564cfdf6779c304d4ef69c3e306f66

SHA512
36a5f847174f7ddd996c82bd90f6b8570851e41cc3ca88a7fb8d67c90eb081ab8d2b79e5bf7034bdf774f6fa27583e07b069ae9d6b04cf2f53300a5a5d0d0104

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
8f27e8cc1785aca1a360b746608bac06

SHA1
01110259ff8e433e7bb6d7c592cc40083791d753

SHA256
e1d744f64f7694434386ab09559ea2891a1932813f756ed1025e2a196c35e3a8

SHA512
65299eb7b3aa1cf36ad79db32ccdbfb5f8c402edc850f8cacc278244bc0fa2cc5eb87ff15c384b86b5c994c4ad14b09a1a725ec27f5e077faaa5313599c990f4

Download Submit
memory/264-340-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/264-338-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1184-114-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/1184-256-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1184-108-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/1184-109-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/1184-115-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/1220-351-0x0000000140000000-0x000000014017F000-memory.dmp

Filesize
1.5MB

Download
memory/1380-67-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1380-70-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1380-73-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1380-60-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/1380-59-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/1412-355-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1436-33-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1436-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1488-193-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1488-96-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1488-98-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/1488-103-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1512-306-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1512-123-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1512-296-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2268-429-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/2268-335-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/2440-128-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/2616-342-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2616-430-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2720-345-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2856-47-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2856-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2856-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2856-107-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3124-76-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/3124-126-0x0000000140000000-0x0000000140172000-memory.dmp

Filesize
1.4MB

Download
memory/3748-348-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3908-75-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/3908-13-0x0000000140000000-0x0000000140163000-memory.dmp

Filesize
1.4MB

Download
memory/4068-42-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4068-41-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4068-95-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4068-35-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4068-34-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4108-17-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4108-79-0x0000000140000000-0x0000000140162000-memory.dmp

Filesize
1.4MB

Download
memory/4108-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4108-18-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4204-137-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4204-88-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4204-82-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/4204-81-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/4568-289-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/4568-119-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/4712-331-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4712-418-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/4712-428-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4712-323-0x0000000140000000-0x00000001401BB000-memory.dmp

Filesize
1.7MB

Download
memory/4720-307-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4720-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4720-140-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4996-0-0x0000000010000000-0x0000000010160000-memory.dmp

Filesize
1.4MB

Download
memory/4996-8-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4996-1-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4996-145-0x0000000010000000-0x0000000010160000-memory.dmp

Filesize
1.4MB

Download
memory/4996-149-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4996-58-0x0000000010000000-0x0000000010160000-memory.dmp

Filesize
1.4MB

Download