9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180

Analysis

max time kernel
142s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
Size

3.3MB
MD5

9f622e68472f4463dc0515d52fa08ef2
SHA1

ca67e591511784bf68d635d472ebe9d5acf59aec
SHA256

9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180
SHA512

6b0d89de794c1bc9ea95cc32ef051202dc35f534e700433fff3008b61d1dbe56874283426029fa3c3b480e77be45afab01294a4b724e564d785c31f17189d667
SSDEEP

49152:t3BKBUvdWJTy4oia5w32OvfZcvkuRdLHkJEANmsvHHu354gxV0HyYsYd:woi+w32+QDENms2JXPEyP2

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe

Executes dropped EXE 22 IoCs

pid	Process
2612	alg.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
2240	fxssvc.exe
2084	elevation_service.exe
4088	elevation_service.exe
1596	maintenanceservice.exe
1440	OSE.EXE
4868	msdtc.exe
4536	PerceptionSimulationService.exe
3148	perfhost.exe
4456	locator.exe
3212	SensorDataService.exe
3464	snmptrap.exe
4208	spectrum.exe
1148	ssh-agent.exe
4080	TieringEngineService.exe
1956	AgentService.exe
4384	vds.exe
1004	vssvc.exe
2416	wbengine.exe
2228	WmiApSrv.exe
2304	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\941e0546b3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 18 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe
4764	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
680	Process not Found
680	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2148	9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
Token: SeAuditPrivilege	2240	fxssvc.exe
Token: SeDebugPrivilege	4764	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2084	elevation_service.exe
Token: SeRestorePrivilege	4080	TieringEngineService.exe
Token: SeManageVolumePrivilege	4080	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1956	AgentService.exe
Token: SeBackupPrivilege	1004	vssvc.exe
Token: SeRestorePrivilege	1004	vssvc.exe
Token: SeAuditPrivilege	1004	vssvc.exe
Token: SeBackupPrivilege	2416	wbengine.exe
Token: SeRestorePrivilege	2416	wbengine.exe
Token: SeSecurityPrivilege	2416	wbengine.exe
Token: 33	2304	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2304	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 4620	2304	SearchIndexer.exe	124
PID 2304 wrote to memory of 4620	2304	SearchIndexer.exe	124
PID 2304 wrote to memory of 4828	2304	SearchIndexer.exe	125
PID 2304 wrote to memory of 4828	2304	SearchIndexer.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe
"C:\Users\Admin\AppData\Local\Temp\9a6b448d85b5e3617cd16047c347d3f84a320157473402fd8bb1c79ef15c7180.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2612

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4744

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4088

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1596

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:4720

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4868

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4208

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3776

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1004

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe

Filesize
2.2MB

MD5
0b0a8faeb32f273cd8dcdff5179c23c4

SHA1
8e1993974a94328c97b67dee5adbbdd73e997cec

SHA256
c75c2b27b8ab2595e8ab41c82ac3e1af347c841800244196f63412c06550cd6f

SHA512
2ab3856e3c9eed308fb0e8fc78b01dfdd92cbc61685fec015d81a790fcd490f7316fe916844afab5364ad25dfa9c29d9683e2268a7a9f5f11aad61f2721fa7b1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
3c5e4ae301adab3469025077ede89b45

SHA1
3cc8eab5322bf7b30ce16ea4e923feffb152bb1d

SHA256
cbf7af8f4a1d284ed3a372b6c37629b3127c4f21887949ace979071341305e52

SHA512
daa88b316b0e11c9f9ccaf054b2af36b69f43949b8e74ced0cb391942e61bf9cfb9a5424e36c6b849f3f5c48cd5ebf80433d80ff0780bfa79b01053557480028

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
9a74d71e0ddc8ea483d884c8b8eca379

SHA1
d39a079a12978d8c41e7b718b9c19383bd74e549

SHA256
e9462420b8652078fc5d907ad67d86a418ea15f5f4018b91dd8d1ec1f350304f

SHA512
7ce2a21272f5f4066ac9bf367bb6a2d42860353092f9fbecbd8f1d03ec9a85a6d58e705959ab003f4941746ed927709afdf2d17099d4dc35e052f572ad550b20

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
895fa11460903e4bf612fd0dc6cd0dc9

SHA1
e94b35096649815490bd3ca1ecb93bc1d42e56e0

SHA256
19079c403264e89a1a766899de2cfadff04ca6ff4927e7aa399624176a99f992

SHA512
f736e847771257414d9c9cceab05788a4418e8a11f30d1b2dbe8e41acc8d5e3cbd652c0856780fe6cf5bf8fd3c0a0bddbafca06dba1229c439208dfca2770ec1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c325b1ce9ea4116a12e0c04533cfd212

SHA1
6e89446fba76848ed425f940e9976a9a1f052faa

SHA256
1e1c29cf0a3bf6b4e5fd5625c3523c98bc051e77729f845efa6360c195df8801

SHA512
5c188f9e4fc8c868c896d9b8f794cef680617541a63622ec4365aa023fe92365c8fcb1a4f49a5dceaac8344f66dd2cce14e91852cdeafff7103b23aefae455f1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
520e564639d63b97c8b4e57c3bcc0270

SHA1
c4f465d0602dd1148d0321dcc4bada6cfa414a7c

SHA256
401926690276a50201ef5bb079a85b758584e218c6447d6e8357f484a104e092

SHA512
526a9d3113d1f3e2cf9c6f1f84182c4cab446d37c20897d06849d15c66a2cc22f9a42642b08b849d504d3804bff25b1df7275688f9dbc47a86f629efd5a38ce4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
99727b0ec479c628f363d62d1254004d

SHA1
85f983027ea9f4a537e3d2b1a640381ab13a12ce

SHA256
8e215273e35cddaaf190037f620dd60dff35ed3a8c9abd1e83a26d3137b7c665

SHA512
9f45d946129288f716a5d5f9c5c80040a63e902634852bfd2baebed995bff84c00fc730f203aca9aa43ec4bac8777d29f727ba012f3ee82f7dbfe65a791b58dd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
99ba1f4c851da36d2e8277d8e9e67931

SHA1
47ab6ffd10ef06b23a535fec84527273571f0c20

SHA256
007ab4096254135234275137210a216d2194cad26017aa39980d8945910dcbdb

SHA512
3c197602981b5ace7c4d91acfbc217a37911e855f21692227194faa47c399ffed87c380ddc33739f91ffb2fc3d01d19098765b858d60e38f9c13ba95700e7bab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
bdacdb9f17f824c2c7e6cc549b2c85a3

SHA1
d71a7aa631b329ae20f5d9dd87ecfc7f3200c197

SHA256
d500fa79e592acb8b279325ed59b465ed4090f0ea238b7476010bcc62fe70df5

SHA512
5728e19b4c5825965a6ed7b944b3b0097a1507807a418fe60f7e5f1acec485d4c1bba3c8ef7a7441aeddaed2a5ed8aa811b1a8c5f793924119013e6969127553

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a1d536abeff603eb3ae87c643a7503ff

SHA1
e412dd29e8ffdb8a8d22ee1c5296b08355b70081

SHA256
00cf49c708196ca1485b006e71b8ee34ff17951221f7da0a22949f4af06bd828

SHA512
776866676b20c7b107a95b40093d07c58e0f3c4e6c034f3af14479e5b4868b1b91bb6248472167c7f497e90393b2d3f0aab3c597e2b8c485044b8e88124003db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5ba62c596f4651c3e436649df6a86968

SHA1
949f2e8d5b3601ad2865e56b9cb166744a3a71e9

SHA256
3ce7ea2d7bd69837ef45a1045ccec4b6f4d62a1d532b6731d1ebe900966962c7

SHA512
f14ac86e3df6247a857541e7122058686982ace160364a5ff45f8b888b821ca6d6f3ce379150431aba03e9eb1941fb1a833f233012c5d862d435e1c8ef2f25ea

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e594a18d51a00a56a6659689b17a0a5a

SHA1
d0e2a3be499a97cd8262464561953a96e31e85cd

SHA256
30de17550782b62644411f879ca4e5217712793b72b520e7806460f5e20199a7

SHA512
a10630ff49f14fa61d71c841f5fa3de5684d821185bfbdbcf1ed413486a50c813b704f2b636430101cc5ef7b6414ffd6602daafd84a3efcf9f10f5b760e97aa5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
e27a930e04c5a17b870bbe944e24cd5d

SHA1
78cb3f4d492d1f3a2b1a8c8ffc2738f9513fe1e3

SHA256
360eff4a8c887cc3878514c228c5451954d465620b74e791de524bb15e3dfd2f

SHA512
04bc388292fa48bf908d609cbefbf0fb133bec9630c93647ed79cd359a44962e10716f95763922d042fe2e22ca4686e1d7b752545ca337436295c97f3b366d07

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
db3cd4dd4848d5af7faa949634cc2ff5

SHA1
e35625cabeaf89fea41eff01c44b16120d2a4bb4

SHA256
2fdc4cd5c6ad0c61fc7f72f1a03ad94c8b450b5775e9ea8bfa91092c4ef76c7e

SHA512
276f0f6605ba6bb99386c9a09a83570ba5c22c561ff4b1a7a526cffd7b8662a3e8a3fc54877d793f328de176a483e34b71a77403e5a1847a99680fc0b2e4f9fb

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
c50d436ebff99ea4a0e04c8fba630ed5

SHA1
86c116e86c08e8029158ef10301fae69c375a396

SHA256
1853775e13e08b841fcd89317d86278aa50d9bde90fd6a25213c06ab5ba80bd1

SHA512
33f36a5b181e38a104d3008f3b255076c973a9faafa32e9c98e483bd2b4c2617e7ef04f6e1dc624a6c79aac6d103f574ed18dd92e7aa86d6ceef9636d1a4f9e0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
116b4e964f8011b9dab23c3fe4079a71

SHA1
c71ec3a3b6621606a59582bbf7d7c12eed85d79a

SHA256
23b17549ec961aa89a4e6da542b099fb97562f019178f9d5841f5109003c5e0d

SHA512
7af9f179dac7f19ae0c8cf48f498aa1d9035fbd08928ebc3e21df1728203c400bcd35cd29a180c611b8b045abfeb5225bcab2fbe854e04d15956ae03ebc878a7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
7441d543c651fdc22b9af3291467b9a0

SHA1
26890c6fd41f5019e1ec9eae02013985d4f530d2

SHA256
5a253e0c80d739ae29023deab95486ac490a1a56eac2042d673856535b0f1ad4

SHA512
e13dcaf1ff8ac14fd98f52ede66fea7fd187cf1b4fcf1f47ad641947ab2bb9600a09ca82c63a8c3b119051d7f6fda3aac2eef424473c79f2e765f7c61c211945

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
456a36e599cf6f026025b70832581a89

SHA1
74e669434e0f2ec99aad07b8a54f990e5fa834aa

SHA256
5a57a9555ca933873528e97bd6309327d40806de6d32d68da257ff81f443fb62

SHA512
64a9ec1d0f0bb4973515495c42652c808292a5053ef32bbd47280b2a1c46f4b166db292f75eb8057b986a00dfa01467e1caa2cba19d254dc61d4e8f938071451

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
6e5348cb68e822f779f453d0660cdf81

SHA1
06bb6956332d93ecc96b93faf2d5b94799a82f06

SHA256
f1dc8f1fc29c4521603807ba5c9b00fa59003ddd2147f728cc3fccd1b2478c10

SHA512
bf12ab605b1632fe229c1b0aea82a4f865938cfb66a7a019228b657eebe8e86e6ba4edb084c4420e2f193c0c37639152bf0a92042a02a160cffe690ff36b4984

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
9470474abea6eaa4d8e6f70b7dd78e67

SHA1
f2dd8cc5989b4032ef193b0703cf80b6846c73b0

SHA256
4f52c9b7b72d48b586f2ba69f1f0bfbbba6f2545ff47cf0bea2b1c9fe7a239e0

SHA512
40f46298de78ee4cc80b5aea01dbe1dfb89a088be939fe150a70b498804fb4d50f4be2bd1334639c431630e2657d474761e9035d2c10feb8a4da482cdc2473d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
636e9d21174e0e6f910f6ea7d92720c3

SHA1
5e2a1f5c56f0e97d52fe7d779a90458945bf3aa4

SHA256
296aa78be08803cc28180d58a1cd0e0077b8a166dcce2fc1fa932e486547209a

SHA512
7e56437fe7543490dcc37eb968e2862323c220c77a39ab539fe20719a1c42f1bcab7f1297f58c11c4d238964238d40464b64ac99b3ab63061891c3c95d2d5828

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
b9cee784142b7666bc964629dfda5d7e

SHA1
d59a3d6fccabb9c8d445cdd59c33069aa87e1ed9

SHA256
fd328df09c18100b06e681e4da2575c1875afd56a106ea48d5e0da1aec2064c9

SHA512
e66a2ea83fce0a4476e347661b664766387b5395210df296be1fdc1df71a98c63111e9250f879bf8731085be95a0ce1a964cc3014139b81c43f4d04c39c41cbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
b43e25e3dc864e6eee8f1ed417365b60

SHA1
503eb0289354f770698176e717f511a49e7200fb

SHA256
e00529172f5c1dcb601f6e676e33485b66b274455307cbe962cf9307f53832ac

SHA512
b6be5dbe65772c75c8b078589cf3c0c8edc90aa76cd5a5d6382cf93f2a8ad98b8b48d5f0f0eea8ebfb8ef207da900ce4dc485ec9ac61ebb451bbe6503f282269

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
f76d7f97e4eb5058c4af978a443c1353

SHA1
b4d845d40b1b52d761143cb5f2c1da5ccb731fec

SHA256
eae31810fe65e3f5e8e5f27ff8f34bde27c0024a6f23acef7c216f8113d60045

SHA512
9b1d9225b6d0efc9f9359fc2e5b621e09afab4d28f7886353e59a052e261b78bf60013d266f2b3402e3519e3fc5c3bcaa7ee5b98ac085ff64afb07b8299fbfa0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
20f57ba4606deebd127f62febc44bea6

SHA1
1709a0fae71f15710743eab53501e47b9bec3875

SHA256
f4e821506c9bee23782c7585f1057f11ba074371a8d2eacd2954307752a1c622

SHA512
5419634b4c613b07c375baff40acb45db7028dd0610a9d84baa678cd4220bfa4600d6355173ebe6ccc25188f46651d4b3478ae282093e359dac56cccdcb9601d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
766caf91612ce1a8ed48a87dcfdf95ba

SHA1
89f4380606575dbd01920f5895c1b5ee715bb6e7

SHA256
8e9f735c1bf1f0653f21648d392608f0f17e615bf21182d1ed77b5286a94a6e8

SHA512
9262ea3c2ba56667df59c66955695e3779427ea803cc1fd3f124e589638a0e6e7bc9c673121aa9e85df98e28f25439938a95d97310f78826d9bc4fca2861730b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
02433baa6630026ab55e1d9b98165d7a

SHA1
014b610f04e08691e34fb627d8faaec48b505d39

SHA256
64f81d584a5eaa122ce55ef3041e608c27fbdc0516814b91b2057a474b2537ed

SHA512
791254b727f9d215dbe946db17844c8ea8ccd9c3c082d90db0d61aea0cc0f7360ad49a85975a806549b0069f72a0d702b3bf61020995e21d61b45535486d3f0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
1610fb473d99ce59477efb0566e4cc8e

SHA1
c0df1ec394758d0c5a5d04c4ebfea6e9df125e1c

SHA256
f0daad7bd3582bfcbd2e694c97db2102754a955218c2dcfbf23aff5e939155a0

SHA512
0f9f3af4df0a457521fe0686c37118c70dda7e645626056c4c564e451a42921d801bdc50369a4209fe7470c7c9489ab2df1243e44b2bb7f154aa8fdaee97a29d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
bd3da0534ac5985298efbece438edc67

SHA1
a7643f4e9a066998387e5edf65917ef2660b8050

SHA256
40d45d56a592054296a752bfb3d004802b75e9e75acc72233f4e9807f610569d

SHA512
3fc889a4dbb61897c0c40bc300da26464987563ef69fd73c99af90011829c0607b99b459f6ccd9eaa312f3bff17e232f5228f35b7df41d62a7123376ffd65bac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
2badfefb4217f6230aeb1ffdfa42927b

SHA1
566a04298920b102a575d0ce1caf3ef61e35d821

SHA256
b546557a5bdd96e3ced00183df3b4c2f9c4e7767881a2242b14dabcc86382995

SHA512
3c0b1fa14e70ad2099a40547a06f4c079bd9e952e2f3a35e83fe3208d5509e653564e1b7f38b15d30368b43522e8afc2fe45468a1c48e638d31866365bc5782d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
dcb587e51f1e4cd0233c9a3a19db6ac8

SHA1
9bf8432f2a4413032609ebd05968d3a21986451f

SHA256
0095597a98330ac7c97a5fb63af7d58ccbd0b6e16ae19b637ea5d5928b4a3367

SHA512
a8bec3e5ff81f2b41a050f4b46d176217709d92c15d5bccdf6cfc3e9de9644b7ab14601db6f967034227221d025ee9d70544df208b1288e1c86a5e7ae32f3a74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
5a4960bc1db094dfa7d77c56bdbdfc85

SHA1
943337b483fc3ec82f78b35c816aec5449cbf0f9

SHA256
73166956bb7fac610c93ea547ae5a8157da2a0b5c76d6dc7697c8b8da1f52760

SHA512
607e6095e710bae2e3cbe56bdf580415bdf4a82a0da5a648dcb218da0d9720d457401e859f4059225851bd52a65c12da159001e867edcc150a81725c6f59ea23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
434d4d5735f820e2d9d212c4d48934e3

SHA1
af79fe4a022a6443d9a382fee25e631edd0c7e73

SHA256
160a30d9ca18648ee676b1e4ff052618ba6d35dd5fff754630c3f54240571b45

SHA512
8bde568ace62f418b2753eea303feddfd2572cf7aa71a30714dca14fa242515e6b7dc2617ffcf4dc7bfc1d1703dc367e910f662cffb168ff78346417337bf488

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
2cf4c5010fc90e83b2886bf6a407c42a

SHA1
ca54310671a34865dc11212d41d24686b863a0e9

SHA256
8a11a7e619d08ff9466f80e72bf57424459821ae91a2c5494a814e192d632ee1

SHA512
7f377174fef4bf9e2dce9104f91e372d53df3ee7ab6df18a43f595516239a3b4ceb77cfbdd549180cb73fbf84e12ea69dbeb3f1e4d2e7c22a47f9cc3f4439589

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
105861278ead23c2f251269511eb88e9

SHA1
44089a467f77dd44d94efeb2a88493e32b4707fc

SHA256
467c05d9e7adcf78baa4d47b76f755824619d51e91dc47db2239cc8d147bde4a

SHA512
3d94ca64599d6a88be71a6b6421bbfec8ec3a7fd1e9af5d941d2ac869381939178ef5ed9bbc310710b24eeee6ba41ca94421f0814add58c102678cdf6c6fdbab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
966b8630c17a61b52612fc0522f3467c

SHA1
87af68e57667c2d8245ec8237832a3850ba18932

SHA256
4f1ff615c29dac18a309602ea90c529a4c99bdc964b360f42905586eeb0ee43c

SHA512
e9e3fdf527f7c9df1fb595f2412ab5a97c0a31bb07793ef4841aed1405c7b58937afce734e26d57ad0837f2b64e344c6f5b708e607296fd209f394eafc2f4c7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.1MB

MD5
7b9ebf53c9031235f83354225e963c69

SHA1
6f0b718863fd62c3582792fff9358fdd2ae8cc29

SHA256
7d233e4e1488c32a24180670aea06022e943469dc359ff8b15b7bfab61681ad0

SHA512
1691e651ac6a5ebd9284d015654f01d0a02352fb1928e66a588963405de26121c427c2d34abb1b744e877e206faa5eb3969acbf2e854b01b838d2a1f503526e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.1MB

MD5
659804a722e7cb7329d76fcb1f0c2917

SHA1
81becc8847b6e19a37e0c42205db85cca4aa3848

SHA256
1aefdd60b6dad5a085cbede4ecff33d51ccceae06bb880f094b5cc5e1c2542b6

SHA512
59d5281dca6568f0bda992ab17d7ca3ebedabaa3d8545947f4b12eb38080ce571aa317141f722dfffabea84c875d8099cee322e6c7f25e90a6fb96be7f7ffdbd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
4906de97db13196948232d4a9168bb91

SHA1
ebeea2ad2039920e2112d39cadb1bca90d9f651c

SHA256
aaa512ed45d84a3d2649af0eab04da8dca6ed9a91f75d47330a22131b21b5953

SHA512
1a839d0fcde1cd82ea18ea122569744e7cd4717350724e1c3cdf6f7083ceaadf0fb670a223f7f95f9b7f1a12c0e1c1b80c04db967f77c234367cb34aa686bfcf

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
230cf7a0a2dac9a2021b931fddbda151

SHA1
223384e5c92df3be1dfafea0341abc11cf96b063

SHA256
752acafe61c94b3fdd702f5c37b44b9283b541f1c84f48802f1c1a73a972e4fd

SHA512
09a71fac8fbd736eef2f1e0c7008ae853bd0e26de2d8cb27a30b89faeabb1e8a2c9d3e558fbbb83dbdeb84a875f7e2b82b670d99b8344d590dd2bc8742d487d5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5add868c14628d94d6024aad4b8bda21

SHA1
c9a1cccc3fb493606a83fb8867bc012d6b2e23c8

SHA256
b5d76283270c15f389ee087966581b4b149bfa01a214b4ec989f1b98b335db6f

SHA512
7b0149338e837666a650ecdcc6ecbab78cdbbbb0993f928939bce5a74018ab8bff5a6729dbd71b2f40f7cc1ef791d74d8212ef6df1a5ef3e6dfe3e052b838b6e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
50c08dba38a6f60c055091aa78d5e8ae

SHA1
c3ecaa327ca779616d4ac989d2bd8bf87d34f92f

SHA256
4a402144f65a6a7d2374a667479fbd7ab0677b6d2abffdb5724db532c1b1c8ec

SHA512
b23d275ffb0ec3c0641e38fbd8733d49c28bd892fc5d8d2369a6baa909bcd629325e3c9cbf59f17a016168ccf3d0aff6a00c59b85b7cbdbda0e267e310ca860c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
bbe9b53a7895570923bc9a4c59f99c58

SHA1
a1d6a6a942c6d338093d00b8d780e9b58d9f4c89

SHA256
d32e8bc1e0138d69b6bde0b6f67cd70a03c2c27f604774ab42b5c115a2e05a78

SHA512
4980c8800d8cc75a06f10cca52cc690395e056eea7ba8335654aa74bf0b6dd4ae79110c4ddade8a815afec011553ab310d865d28d4d41771faade013da1f2c3e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d1b36d445f0d82340455d88682873e3c

SHA1
91c896cffb6ded140473679863cbad3dcf809272

SHA256
8fd8632f12da97ae0851949fe5920f67708dcc65b5dfd257d8e1608be578dc91

SHA512
959a287edd213d056129e90caed7df086973befa2e814421132b8126a9e5ea1c613f62d99d8cf3edb3b188034143c70f42fd1676853535deb8557010363350cd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
414788a9ec3a3663fb434f7606df57fd

SHA1
ed24f502534054c8c51fcf486c35aaa61c592de6

SHA256
4759c4b7ad0d74b88afa4aa7dc2ba06261b6dbc2717fcdab3be42562d71e3f35

SHA512
e4c485ade04951352cbbd129887800bdb8b006007ff5fc1d8aabc8a5149c61fc481021034fc5e17323cafedc9845d3e33817f37a3543b3ad8348f2755d33f28a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
58b13c6a24d6356f817b61e14e85af6d

SHA1
684092fcbf3811f6e908385a97be14900fa7a6ff

SHA256
7f34f53c800c51fbeb24d554024b2e9ae5c7c1168c2d5a877f999860974bcce6

SHA512
95af93a4b210f339dd277ba6ffecdd21e61421064277fd3a19d85703e02269c1c131366b9afae3be64c9645753a40bf1d982c814a30d161f6e3b640e115ad31c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
de9b062e749dd3d6e4fbf7b391d4c6f1

SHA1
0655e5748bbe115dfbdd83395423c864ad7214b0

SHA256
ba0cd881c85c935e8dbfda1aa5169487ccb0bffea8bfee34d452a0fbcc85ef03

SHA512
1f3187f65c2dd252e94727b0b679af8d629b3c366360496b13b296961cd8e5dc595ab2abde2cb31e66aa92c2e86678f74280c9257aeb1b5b70b6298b80b28032

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
65525a145c003f5e3b39048449e97214

SHA1
f931ab8274d4440271670e1c93f22e6fcd168c68

SHA256
9de95e1bbf04db1d17842de874cb8d424c87331b6ed7eb156279f74f7ede4c4d

SHA512
af955cdfdb2bf914376561eb6f166860e129697d648abd4908691e82d1230037d05c2017249216c533b535b4201694ca4568a5fe68f34e1ac8f060e2d86b686d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
17ee0fa93aac769739f71989055336b3

SHA1
c8efad9691b13c9c897a95de232e265441f199df

SHA256
77ee6ac665e86a4103f4f15b0cdf62b34fd94363ea48ad4d06dc9c39f79947ec

SHA512
732776a55a372e9678042b70d3c3609885cca8796fdf757c1b46f9ce9c699032d8776b159afcd702f77981d453474ed89af7b8aad4eab1b61c1066f8412fa2d0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
66861924d569ef01077ad958f78ad544

SHA1
113852f04ec5f6bf9cf76a5caab6607f35d98d68

SHA256
82c40cfd34bd184b01c2c71edc4de99b5df92a07e99ab7cd7f1d5dd727002c3d

SHA512
15c0c423d5b3df9d62aee4875cd514553cf3b8ba0e249bab550d13b4fe73f2347de18d60e15fa045ad5ed21a1887be90f1aec984ccab2ba737902bb81afe1513

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
3aebfa9678f93bd0672eba76758da362

SHA1
da4f35383b1e112575dab0d79bccf1b23ec4efd8

SHA256
a93dee8e56362d6b147277530e7a4368f572f37422925003f736890ed30939f8

SHA512
020169d1eeae0c2c0f4c2da98805763918c163bb2e1d0a4c49aa7692eaa6702d96c19dab8cd70568cca5ad31d3595cb202d0bd8bcdcbc641b126866c5317d882

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
055ba2b6c5f0c23beb6c57ad4e390970

SHA1
b26e7e7b20872cdb10ea301b81851db3af1da1d4

SHA256
b8bb47853096d4aadc383b32f45cf84083c3d93aeda94ce667fc4edc2cf31dc7

SHA512
f95b7c466457555dc9e8f8b6d88133f46fd9a441d2bfdb3f81d96c845249c1a35ae45aec39bb1655a534c16fba1875e91cb60f5f041dab7481b82c41ac9ae896

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
cd291df1b76bcbdb895af58f64cd89b0

SHA1
cd4de359a6a934f6c013103224ef67f39ecb9e3b

SHA256
ad9c580f0a52e7e9606e905ec283e6c5c689d90937b6e9782657e7bd42e7c5a5

SHA512
acdce357dfa0dcb21297bfb4285dd9c23b9aea55e3082f836fbca178b4acb35a5d7659bd74d367ac87278883abf947a1bda25f3df30600080bfd27ef9187e02c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
61897867bfc4658534631abe463dc4d1

SHA1
139b8b6bf540bab1af6d89857ae65c77e3870ef8

SHA256
f0b05ba742c22772b858636c069146baaa63e8eae3263b7bf6df016a1e7dd457

SHA512
deeb1c88311fae1201c9cba602402941b82d78c6e4e082825136ab97480dcaf16d77722d58b16829dcbf5ca11686adb67dc3150ac0532f508146f93a9bab5c43

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
76d78ccc6a07e3fdcf27029d30b9138f

SHA1
25e6c2c8555ab4794cced28e9c4e8a172c95b959

SHA256
f4c62f53607084ff17f3a58cb16c9637bc458066b9d8282073e87db0f52c3095

SHA512
0ab8f4e163bfe763dc2c04668754a38fd2a2fe732a0c73706816e152b449776bead34262002f51ea3be0d80a522a3a8316ab9f37e0216d6cc8d53b6b903018b2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dd8c809e130e341e7bd0842794a45b7d

SHA1
742bb8341f5af22f2cc4b48d0f5d69e68ba87683

SHA256
6c3c489dba29af8d003da70ead5e427563e8e68d054622127b1cf66e8943e37e

SHA512
ae32e851b9c98f5d1d28d95ba8c217e0cfde181cb1493b0e5e934dc2c120eeff45db4d368db6e2df4dc622dff4c724fe4a0c405fc8b4cc39954b901a257851fd

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a9273da2f871e350bcfc396d126022de

SHA1
4473ed09471581f0fdd4b334edb3b4198efb894f

SHA256
9bde0a54f3a3ca3ce09f13af60b25f68fac755f8e8b0f11abd5b13e59c35aa9d

SHA512
9878742007b26c304adaa08e64caa651ec1261969fad1c66920c3cfcd6ee0dfeb99c7523cd00a51dbdcac12ae0e7a64d5ac259f9f006e531697819ae3dfb1ee1

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
b29f9ce137fc97e9118adc5195e4846c

SHA1
4b665daefca6137c57e0ce24aa858d680c392d4b

SHA256
0b20b028f8d409074944c54794b476d0faf6655359c57f02b6c8291be7a2a195

SHA512
84bffc0ffa947dbd26d843ebc97fbe827ff0a9cb6a9cb8a0441ae2af78aa0cb7b4d1a6a91d25db5576610d5ae8077ecdf7aefef1cdf2fc901c1a1275a9c52b0c

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
2d8123ec656230a33967d06510fc0e4a

SHA1
5bdaa798d1f2722c041dc07eb520dedf0fdccbbd

SHA256
1e6ea713e2a3c936d97b4e292209893d29359ebcb375c91251ba64a19c766c09

SHA512
0345646df1dd80ccdff90759dbb23b80afe55ebc6153ea0bd9c60c176fd5088150e777854f4ef1173d165b75c7187b680c2fc4bca187b0d363dc224d2eadc671

Download Submit
memory/1004-328-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1148-305-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/1148-417-0x0000000140000000-0x000000014018D000-memory.dmp

Filesize
1.6MB

Download
memory/1440-243-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1440-75-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1440-83-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1440-81-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/1596-60-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1596-73-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1596-70-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1596-67-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1596-61-0x00000000022A0000-0x0000000002300000-memory.dmp

Filesize
384KB

Download
memory/1956-321-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1956-319-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2084-220-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2084-46-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2084-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2084-37-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2148-6-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2148-0-0x0000000030000000-0x0000000030358000-memory.dmp

Filesize
3.3MB

Download
memory/2148-8-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2148-32-0x0000000030000000-0x0000000030358000-memory.dmp

Filesize
3.3MB

Download
memory/2148-1-0x00000000009E0000-0x0000000000A47000-memory.dmp

Filesize
412KB

Download
memory/2228-336-0x0000000140000000-0x0000000140151000-memory.dmp

Filesize
1.3MB

Download
memory/2240-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2240-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2304-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2416-332-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2612-174-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2612-12-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3148-331-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3148-274-0x0000000000530000-0x0000000000597000-memory.dmp

Filesize
412KB

Download
memory/3148-273-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/3212-412-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3212-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3212-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3464-290-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/3464-415-0x0000000140000000-0x0000000140121000-memory.dmp

Filesize
1.1MB

Download
memory/4080-316-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/4080-418-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/4088-49-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4088-57-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4088-55-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4088-237-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4208-293-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4208-416-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4384-324-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4456-335-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/4456-283-0x0000000140000000-0x0000000140120000-memory.dmp

Filesize
1.1MB

Download
memory/4536-266-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4536-327-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4536-260-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4536-259-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/4764-194-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/4764-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4764-16-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/4764-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4868-323-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download
memory/4868-255-0x0000000140000000-0x0000000140144000-memory.dmp

Filesize
1.3MB

Download