caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b

Analysis

max time kernel
155s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe
Size

716KB
MD5

8987087862a86bcee7247d6d3a4e2494
SHA1

8fd45fd96acfb4368a126806626d8a0e9b7dd8fa
SHA256

caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b
SHA512

90c7ad0ef32b4dfc51f4eba44db0e236cfd644829e4dc26ca91bb1344d1b42a25a721b589e26be4fb518af74f8aa5f80bba57deae6d49e2dce4e243764a70af9
SSDEEP

12288:e3P/aK2vB+7LD7bHVKMQ4O4vSjNsyMLpRNO2FLzTGT/SRel8lkEoiqAj:e/CKABCX7bHsMQ4/O6yMLprOInyT/Swy

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1248	alg.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
4616	fxssvc.exe
1056	elevation_service.exe
4504	elevation_service.exe
2812	maintenanceservice.exe
1864	OSE.EXE
5000	msdtc.exe
4308	PerceptionSimulationService.exe
2816	perfhost.exe
1620	locator.exe
4908	SensorDataService.exe
3088	snmptrap.exe
4828	spectrum.exe
4772	ssh-agent.exe
4836	TieringEngineService.exe
764	AgentService.exe
4728	vds.exe
2328	vssvc.exe
1392	wbengine.exe
4084	WmiApSrv.exe
1412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7bb55133b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 39 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081c53bad9596da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002faa01ae9596da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e04e64ad9596da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d6fe7ad9596da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
3724	DiagnosticsHub.StandardCollector.Service.exe
1056	elevation_service.exe
1056	elevation_service.exe
1056	elevation_service.exe
1056	elevation_service.exe
1056	elevation_service.exe
1056	elevation_service.exe
1056	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	380	caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe
Token: SeAuditPrivilege	4616	fxssvc.exe
Token: SeDebugPrivilege	3724	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1056	elevation_service.exe
Token: SeRestorePrivilege	4836	TieringEngineService.exe
Token: SeManageVolumePrivilege	4836	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	764	AgentService.exe
Token: SeBackupPrivilege	2328	vssvc.exe
Token: SeRestorePrivilege	2328	vssvc.exe
Token: SeAuditPrivilege	2328	vssvc.exe
Token: SeBackupPrivilege	1392	wbengine.exe
Token: SeRestorePrivilege	1392	wbengine.exe
Token: SeSecurityPrivilege	1392	wbengine.exe
Token: 33	1412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1412	SearchIndexer.exe
Token: SeDebugPrivilege	1056	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1444	1412	SearchIndexer.exe	125
PID 1412 wrote to memory of 1444	1412	SearchIndexer.exe	125
PID 1412 wrote to memory of 1956	1412	SearchIndexer.exe	126
PID 1412 wrote to memory of 1956	1412	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe
"C:\Users\Admin\AppData\Local\Temp\caf094db5a1e2b29dba012cbd1ccd414b05dd40b0dbb2570eb2c105922efe17b.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1248

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3724

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3708

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4504

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2812

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1036 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
1⤵
PID:1676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5000

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4308

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4908

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3088

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4828

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4996

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:764

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1444
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
d0039f07d81b021baf9993b3a8c2f21c

SHA1
17cda8bf940786696cbce35e3379f2f17b386ce8

SHA256
7524698729f6de874dd1e0d7c73a8ab785a32d014b18898584517235df12e676

SHA512
a38cb7e3576fa84a41c289336b614ff23ab65be84564413b75ec3e7db007954074944bbbe9c21d781384e9598909f12a8128273358cf42d6e158dac0e48abb22

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
a35fd290a753113ac0d6bcc60a0cefa1

SHA1
4151b4a2a113022a610b48b2ce430653d9eaacfa

SHA256
75fb4455562c0dcde55bd695a47cb163ef287ecdd95a5c36e2a9158c93fcb483

SHA512
7134ca525f7515439e0b9975810fe0aedaf9f1912cc5856741629641861d02c213a654c1d49b4452103b1793a97212c34ae14777a9e792a1e0f5f36502cfb691

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f693cc6a3301f4e46d5668f9006275aa

SHA1
3dd98281ec6bc9d20722054a6c4bf4ece3abe17f

SHA256
5492903aeaf3bc5061815c48a54235a29a839d7c736f542cb608f003430632fa

SHA512
b4cac9d4dc9163e2fa2ab8fdab531f264251c52e25df5c8c7d9a5b92db078d71b3da99179312a33a7b3bedb83869a63fa4b28f1dba316e33a0ec9c7d224a1b55

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5f85a6c3d5ad94782229402dd5e1dac8

SHA1
d4ea8694be3bf3e5bb62967dbc5368ce48ab4ca3

SHA256
dab004011ac7c522edfbfe28aefd6299d0fab1d7dbe6a5f1ca395f20c9023a9c

SHA512
fccc471a8cd407e6975bdd585792fab42e607c981bb7565d950aa1231690098b1cbe29c24f061b5c4fec63f5b52d34a1f2b264bc62e4eb47e62e756ef40697e4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b9527c00c15420eff75d337cf0e1aa3e

SHA1
5ca783335fdae0f0cb00a223aef9c300b2fd11df

SHA256
9cc5e22ea343803163826a8a0363dd4a13d770e2456320209fea509a7c6dddd0

SHA512
6ea7a32d180aecea0443cfcf9580049335703dd5d689204b0856c00e83acf20cacf3690ee2e48154894bc32648b63f7eae18698c18dbadcca0b61040be76b6e1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
65c09712d22fd08fd13c24a06470957b

SHA1
bfb7a87ba7f0deeab7fe6b97664ebc0c8f484095

SHA256
94430c93348e4a7ff8d5c0d7aa62c5427dc8c64fa57832032bc23aba6cf84cb3

SHA512
163d188b4b7b41b41b60515010dab00b78014394011192ae50a17d697c4d2df83872a210b02be088a08f075dfc0833cf4b8424ae77e9e06489c5caa6582a66bb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6c820d616efe4baf399dc5f4d0cfa68b

SHA1
b55361a8b679394feebff1abee65d6747d77cdfd

SHA256
cc389b19c60cbc8d1680897209e889c2248165a5e8ab5f3a1018628c149f72b8

SHA512
e7107226775f13a6c2ed0cda1f4dc8c67f7d9b476eed26b0120e8e8b748e5d916fc1df7a9c0fa5b34c5889a3b577addb4a620ca1b05a52f744a93a66ef0c90ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
73df146ba021c95e8940f8083f4a1ee0

SHA1
0fb8becac76f051f6fc65b31ead3141dfe70f591

SHA256
f9d76b4a304f257328d6f4b703206ff26a53d16a45ce13f3c80a03a2e3b455a1

SHA512
f3ee62479f214928524cc609d58ec2025b7afb6f2bc0517da684cfe692c6ae6cb585db3b43e4449e6e562d009d8145274098907b281a772fa828335899f7c8fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
545f239e0964de14d68334bebc8e84bd

SHA1
389aaa61be469a67788f7afea7054096866e1ca7

SHA256
91d618cfd64a0bcf8583ba7795ba4a48aa26e70444f04d76558e05026cb8f275

SHA512
de1ce739b51dc5b0dba26d9b0927313b50650ef1dc0a654f481e1497a5f9ff51ab5f7df738b955f134f199476329853b40ee4653f83addac2d35ab30a86e2d3f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a98e8fd50fb27008009de21f9f0e7b8b

SHA1
72950097d6b22efb1efd7cd26d625ab08608b75e

SHA256
233d297853f5eee4a13cdc5f20d198a65963fa450cc5323f3b18bc07c50022ed

SHA512
c81b884e307c5c43960ed8f6f3f94b3c1ab72d2d85fb6117527981a609f4e807fc3678de1a522286bfda3725b273e99034aca74e5512a35f1d0b94c1788b5434

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e9b7da29c520d90694d0b0839ababb9c

SHA1
06e7c21b4d28912d4deb1d56da2727a3ca319d44

SHA256
54a0287bf00351919c0ab005271ecb72feea55091062f14fe6714c57f335d40e

SHA512
b7f202c03bf08ccf5848d77f5669419a4be74f15b21e5bdcbb8ae0166381a8fa47978d80f79930d815c902ecf6a321151c4cddf91e5ed61ef85ed82b9859c6da

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f55c9bda2c23641e0ed783bfac8e53b4

SHA1
48be9231d06fb4f4f4d6de4c92475eb990e8bec7

SHA256
023cb3a953d6482608d4daa6a418bddf2495b0f489d13f428124a1688f92f53e

SHA512
ad34213984343e1458bff7a1ad499320698bbd3072b1b3f895f937a162d81208de28773c77e7e25c25085f00d1426978acf10701984ba798aa12d446600730e6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0d2708ef3223447839f5042820936f85

SHA1
020fcc98798c9ea420d5536c8843fea3c9a0199b

SHA256
c1a8bd078914749e45686fa8d4bd8348086ab9e7b9318db26c8c1931bd39b93b

SHA512
437fd7102911f0822ecb4fba616b3a92ea954d6ece85f7945697f7a810e8132221d682d070afdd0fbc5c9fd2708adb700c6b34204a5c47e3d645f22d81b78a91

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b001080c6ae73f408de2b667f2c67237

SHA1
e52fd5a271b848a34b13d04303db160a7873c850

SHA256
e50d8c613e6a9f696a02c7d63136f44439da45692fc1fc87c5b0c7c6db4a09c0

SHA512
9db3ebdada956ad444a24d823868246111de1cb7b92bce372572e88a32222d114000f61cb78cfc19138b5bddcfb2e9555b0d6c6a12d9141603efc3be2912f8b6

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
7c2e4351f6e612a080c2461eafe1ade1

SHA1
ab9f675546ab4ef11725ce77be22e858f5119eb6

SHA256
c407ad983d727100c59e4099f41ae569b24381b232ea8445b7650b146a973f9d

SHA512
b3d4f94ae2d4d5f29d33bd97ed3df0981546dd037cc0d2971a1f2b998bf52beb0f63fa2ac2913ba6ce443346aa06d77736708c1b4d69923d7819b7bef0549e91

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
4270c1b83e14d76243d5c2d0642518c6

SHA1
d321a877b9c30efce5c6f2cc5490ead7579b14b9

SHA256
9beb572f5ab60afa4fcffb4e4774aef5c8f9589d99224620b30e0ac94d86b2ff

SHA512
b2aa0df734167fb88d3ad68db01924009656b40ec14748b8c88139fa62151ad5d74c2fd8c65a0f66cbb6763781464370ad653f3f3b9d49dd98639615107bee7d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
9c8a524c190471b64a2bdf89f14886dc

SHA1
d2fda89a40e04700e65a52ad5a2e6e544dafaaad

SHA256
213d2d129efbd58b7151aee27acf97fc436ef52a8cc0f354ab154ed2e8cbebbc

SHA512
846fb3f3a5a9b2d287c04a989fd8f54a2b334b6d6a9c1e1fb0e7653d717fdf2f335753b3672b95e05d66f5d0c390d34fb613e55f41b863ae8ee320290edb1302

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
37b78f29f70cc52f3367c70739c246e0

SHA1
59803d34963f34cfb8ffac2938a0ad9c71ae7ef4

SHA256
be7cb3618676ac87fd191e43495b5a06d3525e01a0f208713d3f4927c9a60869

SHA512
1d3c24bbe3dfb3966263dfe551f06b7624bf1e15b987b929a76fb8764a7d187e5fd3b39abd9b8cfbc2de78d72e1acbdd49022279b640cd02d0b51e3c7db11cef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
70b08d0f4cb707d3ba79f11f88be7584

SHA1
eade9cb4772d2df2e491cbfc54451b281de42a38

SHA256
417ceaa1597ad08e5ca5318527a690ffb5eabbce9b8f19b750abc7f7f7cf4ebe

SHA512
4c7ed810ae1958105e69987acc90d38a3e75500c35855590f0abc190f5c8383bc3ddda02ea3db26490cccb2bfacca0a6cafbdde7bce2fc92117e6fd15a3f360d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
2126e4875b1d721e0f00cffc7a6aded1

SHA1
d36b6befa298ef4847c4147c0e7aaaf372a2bba6

SHA256
a4711f9df9f9deae5f79d9e156fcdb809e1840906a6d82f2f5d7a216c1cb802b

SHA512
bc55ff4422d3817e0c6cc10aaa4c8aea6259338ea6ee92a841116ba5ee163eb1b50fc4c0677a8683228fd293d5f5cefd6460c89d5c6b79bbdd32e66df3f449a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
161781d6297571781c766693866743e2

SHA1
9970e5e42e98ae0ebfc8758a6769dd855b6281b4

SHA256
4de47ea18c2eaf2373c90827510cd99c912580e344dfe914dc592f6079d31483

SHA512
706cbcf3a9c8840cb920487848d47b20d0fe44ece5e89d726952c178bc569584c961a87fabfdb3587def8ba2a1986417afac5efe16d1d9235cdaf845be7289ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1a5b2c61faf2878c1fa79034fb536353

SHA1
c50dc9c16dfe0ab91fd3012414d9dd6df8b3d2f0

SHA256
1f9913818b09e831218499433f25f4395b2cc343f05872582bf8188f48240276

SHA512
ac1c9554b27b5daf689a0d90f7b7bb381032b26d60c1e57bdb06c140547a1887f04934b509f147a2497a54e791e8ab64adc4dd16655c9b7b50ae59025aae96ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
d76f93301b6243bf78f286293fa9f12b

SHA1
18b82956c7fcc470a87a2d03a68a6909a6b19ac4

SHA256
9f013819cc5457ebcb24b907c18c6fa221afd19a0022af4446a40e70f1ec7700

SHA512
4ade93d84c263fd9f4d8bb39fb94024ece924ee2fd4360e30ef7a6034f378d44a0ea52aeae3239ca4040c3ad4b3c36e5bf7fb3900d9a02f460ec566574bdeb2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
75a8484233b70313a5010daf6fb51fd4

SHA1
8d11a0ac8c194516f317a9d0b88fd4f38684534e

SHA256
6729ac8bfeaf08946106c9435f716b357703a1a97a1a6ba483361be18fc3fdf4

SHA512
eb6c5d65438667afca63368e6587ca0569bfa129454b7157aef6df2fe98f0ec98514b2edd63c098207d1ab1f2fcd71fbd531d8540ecb6a47d9732bb2392b0fb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
41e5fa7506a5edcab022e56a31873d2a

SHA1
ade3fab77c423a7363b79fa4d7d71d07f796b07b

SHA256
93a49b1dbf6d9bfcb662bbf5f8ee7fdb001ba54d709e2a9aa4b060eb155a8555

SHA512
dff8afacb36a440519250aabfb38e68595a190f422b807b49a06b262f93ae58856687308c2721e90fbf58ce3b454c863dc1a15156e131e4bb1ab3e4832734c30

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
88d3fc09872e3dbfab105bf7fb33389a

SHA1
55c1c98829532d251eef724fee50233cda4488e8

SHA256
701b61e269e6569985cf5bfc0661fa58038d642991e47b51c37b83e927c12bb0

SHA512
903947ba4e8f106a8b208a200b2b05a8975394633ffd55f5513e1bb9784663a5296687b5b1560c6d3eb44c4cc512a54145826df41f1b0217c1ee24fbd84800e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
4470611be7b0f60c43194c8200e1bb6d

SHA1
a9cbe3ccb007e7562279b61467369e4c67dd03d0

SHA256
16035cca332f16f700213f9bd97f710f485cb9e662172508d2061bb2d2515b58

SHA512
6c74f32d69c2af8317672d1d13e08aa2cfabb677b48968fc585a3340f9d74a7f7c73396bcfba661ab62d199eec29e7828fb58b4914884f3b428c7926ea191007

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
d58e919c8aa7200b3897c0f5c83666ac

SHA1
d8dc0060da6f9333cb0ae20118fd58f8bfd49103

SHA256
0772dd2fecf5ec1e14e99a7ec6d2174fe835bbe7e54eafd7366bcd21e09aad45

SHA512
fc21193a2a09618f7ff7c2e4abc19e7463b8b0805764e1ec4c343e6e8337ed76ad0ded695f94947392e505949b8b49e9cf08877d94fa59a3905dfe773010a798

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0addd817dbda70d98a7041e72fe4d7be

SHA1
16af873f0dfdf4591ad9d2a96f6d1fe3d785e533

SHA256
2a8d8f3e800b69eafa0f4f9dcb6affeaaa40900f9fb7b7c46578b9fac6ac8060

SHA512
5c15786311fd80ed5518a5a2e3baf9a8662c9989aabcf9ba43f3542a1d2690ae4a85c7ad77d2c75a36cd85d6a451f029286ecdf3635ae3f96a7d038e69986ab8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c0b3293cd876c3083fd793c6b4fca9a2

SHA1
d8f75bfba6280b023b9cc88f877699599b7a9a7f

SHA256
d85766be7b14548119c0bf779c88d1f0cf7896eb056416fb50d73d8919cbe98b

SHA512
41f419d0c4a907d8f357bfbd0e63dc55125a407304f32bd824d6b3b6bde5c03b3ab5a9d5577acd4d9a33ff81b3bb94646ff2a0532d098a0cd00b927c3d343916

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1c3450406abbe4f7bc2a6df847609826

SHA1
6c5d14fe9f15b7f5afff6e88c9da78b030504743

SHA256
964f793db4a2a4b24f647c945d5fe467b76a155d172dc6d73fa4e15652979dfc

SHA512
1d64b78c2f4b947818485ae66631f18a1d146eee660cdfb143a958959233bb71f3ef8b497af6c9d817a2772ffde9adbaae8d135d3c3fa683be372afc6a22a675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
6e9f537f8116da3e0660ba3b18f99a17

SHA1
e56ce65398776f37dd0c171c9eccd9502bea3cd5

SHA256
181d2c8d973593e15687d5d3d50f2fb270d66889183f1ad04e526274bda93e1f

SHA512
223b9b8498bec16f9ce37beadffa6135acf0b4bda1d10a2a77d51eed64d4b867bf80e2cd37c5ed225f5f7f7eb650ce09e584c6cdf4b6e6159d0409ff3cfddb84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a8a987ea0176f70f50771fda0c081b75

SHA1
31aa9496713c0e445afc3b5dd908a8421ec88cbc

SHA256
cb741db0074db4b054cfd9d360f7b2207b3207c8712c33cf133a1f6d693c467b

SHA512
3e3c8b6cba00eba0bd52960fb70b64eaebf9f686729964c7e1a3b4553ce9e1e4ee1beb65fd7e4f384bffb73869bdf7cd45f3f4448b043517f3f8d3d24f7bb541

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
53fa3324c838cb49f8ddf091182599b3

SHA1
e3ecb3f338569f4f88d17109c2ad18eaf6a4504f

SHA256
b9a9b05f9d7738405dc4cb4987dffaf6e63b0efadbf76f79231ff3233892e334

SHA512
54bbd9e9c2c2040440ba24709f87074cc7aec87606f1d59ed46246c364a14754eb639b6c57e07870c42ddc1f37d9473abe88985dd4e5c344b397e8b3c5735e92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
abf299004b7b8c1b22b6cc92f1abd582

SHA1
889474078dcdce1b321cd4b44f1da02a5933d7ea

SHA256
f3f0af3ba36508235b87bf034dfce6c90e65efd6bc6f477905ffae523c55ee07

SHA512
af6a325502a1fd9723603d458ac03dc653e5bd91a87704e4f1e4b4f3b5deb69d2a8c5154a5bbf57a7c1fb347a6e640af2ed16a55e5e824d7569138b005bc4091

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f969104a58d6c9022673ff22134a030f

SHA1
17faee2e2915a3134a2c4bc6735b01c4b5e999de

SHA256
436b3f5407c47ad125a0c76e2713b8bf0e7166de201b2fd0c0c0431676d0502d

SHA512
1db2ff921652c010e4d68b009b983b8fb100d3b1884bf51932bcfc8227260e5832fb75caaddbfe4c0d5d4de454fd4d45d70f1cc265917007d5abb7d4326e0ff4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b7843fd72ef229ec3743c665dfdb2581

SHA1
f56cd82abb751e384cf0e1e76ee78672a7c60d3f

SHA256
a011f8d132d8669d33b3f543dabce4eee2e606528f7fb35d7f73dc04c8119dd4

SHA512
8b6f3695e878fba2565c1785c9fee33e991b1c35c9aa62397ae70084154eaa4e7c30a903d311bec9b2b9d0ba2233959aa99755b3ea1705db15fe9c2157c14e9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
18bf26be103cd1c7bc2738169097c955

SHA1
51564f19b5cdd48e14662ee937b18b91fc1f5426

SHA256
cb4065f9596ef862895d0c68521c3addfb3d4a1613c01f1b63bd5e5c2c4bf4a6

SHA512
9f686802bbb39bf88a442cf870fb4f05955dc46f1772dded7fb0032a7d9668992234341ab9ec73ac4767aad6ec7e71c834c0ba8b5e44770ae4c0859aada4dc75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
c5d25f7e89150d3a31fcd5e995287119

SHA1
688522dda2632532de7ae1021353fac0a89a0ef8

SHA256
001527b079ef9ce0207dff7e1f042535a530982d0e6b4e5c640b10c876b37e40

SHA512
5e16b08255cde7563ca8eea0d48a13218f451cf309d128a626e17c399260fe520b20f3f0a008c4c8611fd2555aad426665e96e2bf7f8f84a93e0ebafeb6fe0a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
68877051358813b85703478354f13c21

SHA1
5e1f7f7904b11c40e748fdd883ca9e75963fe318

SHA256
6b8cac7bbf4b8174dc0a2ca59fff80c135ca931d96d850c62b5594ff1a7f8469

SHA512
f245091afbe9656a1276789541503e098dc414cb6c8eb1cc59a7bdc90e89ad3bdba92ea162e9f4da55ce728cd6d6fbc157437538d8f22e8bd39805f22a7d1bc8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
40f6f165a5fc87937a444b1adf576e66

SHA1
e113e6723bee653caca1c3096593336d1bb61438

SHA256
bc5f1518433ed4d6e075ef5de552ae0651a515cf217824e0694d3bd19c599a14

SHA512
2e6f1ce920f48fa7ab39916d72e21fc901776d6b025b6d3a620fa03f4ae0206c88a0faf208b2dd13084d4ce48ecaf6c6f29c49eb5340774acaeceffb48dd1acd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
5aa1dca639877b835e41a8ef77073e0e

SHA1
a45852f0ffde78e6e6b7e9d337018bddfaeb72c8

SHA256
fb04f03b1b919294dd10648d1014742d4a6446c7b6d66e5564c7b5952eb95519

SHA512
41c9a3eb16e0f1977c63aa151dfcb3be98a8d356aa1263a966f341eee91604beb3d0f1a38cb38bfcbc9a4fa564630726b1e5f84ca2162df423d3a41139de9969

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
aa2ee8862b35636ca92757c26d5bf5dd

SHA1
4cf0f1e195cf49bd7d1ecdd0514d22942c572ffb

SHA256
411af9aad1cacb10a79c864ed10b7b4b763129d6501b8c505a0cb7103bb69288

SHA512
12a9dbe9cd419d6c1bd5045e974e73d3332b89f5fb0571ab6ae8e3880a77d49b414acf4562a87e266dad97e658110d474ee89a7ce42135fc739ed28d0abdc3a9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
eb5005dbffc14ae94d3d43b321bf7b6c

SHA1
e7155f27ca3c1cf36c1c724935a03df818b1c152

SHA256
a765a45d6a65fb88030d269bb5214f381766fb985a2c3662b73c1fc0871092e0

SHA512
9c20024190138423fd13cfa572c9b0420f138c845efc846e451036cf508525adab92a5a6f6ca4e910563cc5e5644b25e4c36adf01309d6f62e085bc2cd3f9635

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0d724de9ffab3f7cd07b974a95a87324

SHA1
c03970c9e1b4a018e884db21919ebccd636bd876

SHA256
7f171da4001acaf65196410448da20e69ba1f0a89282bd08de8dc34130f1ebeb

SHA512
5d6550a2b29e068042140a5132931c5dc10ba3d351a6ca4910fc20bf63e7db29b69f25986cc27be52471d7be2e3cead2aa3726afe6e4d52f0d3910489308eca1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
30a9932352a292d6a437964e026f61e1

SHA1
020b9ac59e5cd10121c49f6bcae4f1aa33b0ce63

SHA256
47ad2e56b155fff9cfcda55b21d16bc8977de890793aee33cacd6c7a08bc6151

SHA512
19c12f72480ad1687a1f41b7993270791b0e57847d484e61bb1db45cc001fa206d3696ce4adbd1524bc12143beedf0d9bdab0f0e51943429ea1329d4879344f2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d57fcda5cf11b6142891ce1de7b023c6

SHA1
f585f570a8da707f688f6703675c988dc98b0944

SHA256
85a67fe9fe11c9e366bb3294862733c5cd14edc35f699912e882b6a0e77bf064

SHA512
95ccc7ef0beb0a25a912d8fbfc1fa46eccc31876b630fda4f145d235cf81ae5cf8cf59caf4342281d78abe7b617ec5244cedca2ea61f7612026f37f78749d18c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
595d5b2dabc0d8f02a31468cfb826700

SHA1
9afe274500ecce7a3ac03685839fb6f840091ef6

SHA256
e3eb5d1d8a71aa516bfca5a1237c0f7153a1a44583bb8d1d5154c5e126dd3d73

SHA512
9e16fb9441a1a8a8fdc6b4dddc031f830947da93f37c5b946890895d470154f80fc9dafde8efcd79e22dc7bd432a30f584bd3331bb375a40e23e13b48ad0475d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b033c88cf8af2968badaa6d763c80750

SHA1
6aa9409c5c362f49c0ddd0c8be5f997dbdc320d2

SHA256
c7437997b641a5042170cc72cdf1e3d1abc08b1d1c4c29f6b5bf913f7c9354fc

SHA512
465415fc65e5acfacc7528c2e1e1cdc1593ae14ab60cd353547a841759f66b3986b6bd5159aa7c05a633e75251fed22bdfa439182afa2f12bd487305a5ac9fea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9121b4b0d1c17d98fff63b04fc43787b

SHA1
b4e9dd9e2fd08e36b770023458f4e60f4b5e8fa7

SHA256
f4b0247cc26f97e165bbf69549b53eaee837866855d9f161bd427d2046a77b79

SHA512
29c61fdd3ba8a4db5e1953bd6d9e9692570893dc064bd8f4fe37a6b1c620bce7576f6cf55b38c5ff52fc0bd6617990a67061ef154143f7a1974c2fb163fa1738

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e2330ecb070770d9a18e1a7c314d4360

SHA1
3b87f3e98a89ea59f37aa21208d11bca11593dd8

SHA256
c3864e6ec02c6e2a12061be431f99df3d6c422bc3a51fc947b2d393a8d5eec4c

SHA512
97c04d7f26f55cfa8f76fe1e9179deb81dd802bdef62e8d918e315d80606767d5a5f73867ca3f035be4c056a81c9f7d0bfc8ced4051afa9af982a701afdc07b3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5c536d42a9763edce5f8c9292432e63c

SHA1
0d9e8bf26608bb39656b342169f1a0eb6944ed35

SHA256
8763c73dd7bbbc578283563f6f082d46f1a7114e597e31b68cb55e3a4dff1f73

SHA512
a42d8b2da48da0dc4181bccb75e2a6e78e979c6f92b59aa345ed09b716c1a5d8a445a1ee8dff6bb24f3b473560602d5908bed3ced6127c17d86af844a9f46c29

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f96ee2c64eda8fb8d5d237a71399f7e1

SHA1
c270123581c696f92f326e016b77dd29d30a5593

SHA256
f26b3afb390d07915d9666c47565128e0b4d79211f26daa7cd8e68e577e0e858

SHA512
3993f23dddc4b99ebc732c204dfac3562cf6fa10c1302b9d1cfb50801b29a65b1a1f68b5684416a864c7272eb5f3961418dbd833abb4de0b550416155596ffaf

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3782492c4e9d7360629754b04d51981f

SHA1
27171259f86bc6d0cb065e74ad897522910a7da5

SHA256
984f888d059d8482fc4603fedf8d164c93c1cdb604450cf9405725d9383e324a

SHA512
9b0af3b0baa58831b3c5ea4f67c76415d17d04a3f6421f165e42feeb2c0e316dae9d47b7827c77cb9824ab4137af43f15e24539253ae2a096f5dfb4a8154022d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e12b49a0a0c248d4c631330b80d2e25b

SHA1
e21b0c982d13fcc637f75381958a536122dd56e3

SHA256
d8ada4f8e77a017521de70eda6fe537e822ff16f4efac1a9fcbab6f4b9c35a69

SHA512
dcaf40da03c15d3933bb017980ee7807c0efdc122a1c31f6e54a1e99fd6c827e8558720784b2de363b4c091246b46fc928599f36c2e23273014d52b49a155b46

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
fe52c4384affe6e39d25e18847aa97ee

SHA1
4b28b65c9953f02ba34f32696374d7b4e9ff7893

SHA256
4432c5bb804c95fb306b9708b79e9cfcfd6df6999841e05535868c5809664d35

SHA512
ad395f5fd0df1efc37b390a92c177860badf6a12551f6a5b761182abec118ce76d8b1a7fce16e18bda32e094814b7bcb27444af6b8653d12828fa3633a80b418

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
860f6096b709d3699a0658b39925408c

SHA1
ae7182b57935362962d19a915b2f1370892d2eae

SHA256
454d98437c51c8a2248cb193c81db6a00e34670e89b28d1de373cf798a3cea33

SHA512
3807b7a5540e1ff28fa34688380591441226abda88dd93fe8f1cb0e885fd173d2e2c47fd8794b1746256b8d291714909ee467e53b6ff91e35f30e739c2e3a736

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e3dad7d2576198cca78228777470ffd8

SHA1
a4d156d7f646fec2e98e97520b85ef2b2e577b23

SHA256
b66adbbdab4c7486e358f0b56ca6fa5cb7fcf8007589be9d9827705cdcc48f03

SHA512
e3a8a55e48fa09090bf856da152d4bcc6d4abc0f74fc6287501194b2a51500eed1175ca6b7308859fe8f3019055feb6093ff90bb822aa87556ba8bade781de14

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
75b9e6a79dd54b01d0210ad434184615

SHA1
9b58f6a76cff7b7b793178eb05580073be64b0e3

SHA256
1f696b4efe4e640fbdeb60baff4fcdf7d5b6fe3fb4152291e2eb1f041ad315fe

SHA512
de77eea00955d1b17c991f6d96e252134e1da7dfdec723bdae692173c6f379753e31fc24c3592fb7f36d858421bcb83d052ef76ea64eaa9c085e9404a8151f8b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
bf47e86612f884548b93a68ea7263b1e

SHA1
b2b419b7e040c07d709b3e0d7b9477733c8fcad6

SHA256
1ba97d5e856327f50c606249ee2f7720e5e6059eabed3218e8a99f42f27cba54

SHA512
2166f172b5ea1002dea381a0f09397c57deb390fb9a7ea96828406f7ff954eba76e7df497f5b5850e9450c842d967ed53cf86c48d1e8dd668a31d411318eca57

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
00e610549b72a04568bc65338518222c

SHA1
fdcdeb4a2b7dc3d1bb230281eca38c0f20282068

SHA256
f6f863fc7d762f944aa2581756c95859e2eb9a52d360808ed7dec58a5be0c82e

SHA512
78f06a0845dc90a93e22a15dca5726d1411e01c082f44238432c84f7ec6e9e2465c19d2a469d1a3e7d2d83401f155e66d4a3fc3dcb01f0cc0c67ac21fda951aa

Download Submit
memory/380-6-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/380-1-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/380-44-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/380-7-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/380-0-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/764-329-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/764-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1056-35-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1056-175-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1056-36-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1056-42-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/1248-76-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1248-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1392-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1392-431-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1412-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1412-435-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1620-335-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1620-286-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1864-84-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1864-77-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/1864-78-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1864-244-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1956-436-0x000002300B330000-0x000002300B340000-memory.dmp

Filesize
64KB

Download
memory/1956-437-0x000002300B340000-0x000002300B350000-memory.dmp

Filesize
64KB

Download
memory/1956-442-0x000002300B330000-0x000002300B340000-memory.dmp

Filesize
64KB

Download
memory/1956-449-0x000002300B330000-0x000002300B340000-memory.dmp

Filesize
64KB

Download
memory/1956-454-0x000002300B330000-0x000002300B340000-memory.dmp

Filesize
64KB

Download
memory/2328-430-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2328-337-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2812-68-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2812-61-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2812-60-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2812-74-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2812-67-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2812-71-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2816-276-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2816-277-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/2816-326-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2816-331-0x0000000000570000-0x00000000005D7000-memory.dmp

Filesize
412KB

Download
memory/3088-293-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3088-343-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3724-23-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3724-24-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3724-86-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3724-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3724-17-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/4084-344-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4084-432-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4308-261-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4308-271-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4308-270-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4308-262-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4308-319-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4504-213-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4504-56-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4504-48-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4504-49-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4616-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4616-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4728-429-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4728-332-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4772-320-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4772-425-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4772-310-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4828-348-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4828-305-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4828-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4836-323-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4836-426-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4908-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4908-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4908-422-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5000-309-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5000-257-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download