0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-10-2024 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
Size

1.7MB
MD5

e35eeec9843f0872805a46c44b2c2796
SHA1

833383d9fc670959869f658dce6f2feb75362782
SHA256

0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8
SHA512

38ba2a269b7ab3670697d65102be90977f87781cb8d5f4499830ffe3d01b724efa277ef2ffece4145eb91b78c987ef85bf3233f7eae72e27c2d7d4439f2492c8
SSDEEP

49152:CKxNuykTcKb4rSUfkVFjnaB0zj0yjoB2:LfuykT5NUQUB2Yyjl

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1476	alg.exe
2388	DiagnosticsHub.StandardCollector.Service.exe
4312	fxssvc.exe
3684	elevation_service.exe
4448	elevation_service.exe
3832	maintenanceservice.exe
1552	msdtc.exe
944	OSE.EXE
64	PerceptionSimulationService.exe
1880	perfhost.exe
3876	locator.exe
4944	SensorDataService.exe
4696	snmptrap.exe
5008	spectrum.exe
4700	ssh-agent.exe
3088	TieringEngineService.exe
4296	AgentService.exe
2384	vds.exe
2436	vssvc.exe
4308	wbengine.exe
3144	WmiApSrv.exe
828	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ff5c483ce5a029dd.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\System32\alg.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\System32\vds.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80703\javaw.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f85f8774991edb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce1d2775991edb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c227076991edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a366476991edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f978576991edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c8bd775991edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000268b9c77991edb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
3996	javaws.exe
3996	javaws.exe
4920	jp2launcher.exe
4920	jp2launcher.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
Token: SeAuditPrivilege	4312	fxssvc.exe
Token: SeRestorePrivilege	3088	TieringEngineService.exe
Token: SeManageVolumePrivilege	3088	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4296	AgentService.exe
Token: SeBackupPrivilege	2436	vssvc.exe
Token: SeRestorePrivilege	2436	vssvc.exe
Token: SeAuditPrivilege	2436	vssvc.exe
Token: SeBackupPrivilege	4308	wbengine.exe
Token: SeRestorePrivilege	4308	wbengine.exe
Token: SeSecurityPrivilege	4308	wbengine.exe
Token: 33	828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	828	SearchIndexer.exe
Token: SeDebugPrivilege	3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
Token: SeDebugPrivilege	3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
Token: SeDebugPrivilege	3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
Token: SeDebugPrivilege	3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
Token: SeDebugPrivilege	3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
Token: SeDebugPrivilege	1476	alg.exe
Token: SeDebugPrivilege	1476	alg.exe
Token: SeDebugPrivilege	1476	alg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4920	jp2launcher.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 3996	3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe	87
PID 3244 wrote to memory of 3996	3244	0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe	87
PID 3996 wrote to memory of 4920	3996	javaws.exe	89
PID 3996 wrote to memory of 4920	3996	javaws.exe	89
PID 828 wrote to memory of 4008	828	SearchIndexer.exe	114
PID 828 wrote to memory of 4008	828	SearchIndexer.exe	114
PID 828 wrote to memory of 3104	828	SearchIndexer.exe	115
PID 828 wrote to memory of 3104	828	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe
"C:\Users\Admin\AppData\Local\Temp\0e002463c4d4a808e2f8c38703ab67fc3bd55283517ff48e898a7c42b5e94ba8.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  "C:\Program Files\Java\jre-1.8\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3996
- - C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe
    "C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre-1.8" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxsaWJcZGVwbG95LmphcgAtRGphdmEuc2VjdXJpdHkucG9saWN5PWZpbGU6QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZS0xLjhcbGliXHNlY3VyaXR5XGphdmF3cy5wb2xpY3kALUR0cnVzdFByb3h5PXRydWUALVh2ZXJpZnk6cmVtb3RlAC1Eam5scHguaG9tZT1DOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlLTEuOFxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxqYXZhd3MuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxkZXBsb3kuamFyO0M6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUtMS44XGJpblxqYXZhdy5leGUALURqbmxweC52bWFyZ3M9TFVScVpHc3VaR2x6WVdKc1pVeGhjM1JWYzJGblpWUnlZV05yYVc1blBYUnlkV1VB -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4920

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2008

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4448

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3832

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1552

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:944

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:64

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4944

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4696

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5008

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4700

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3988

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4008
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bd591b7a36d92726b7ec35596f2ae213

SHA1
725839646a74d298f42d4d20587d4eee031b46d2

SHA256
f9fa3fd6aa83bb2b39a33218da245d4b3b4c62a59078ffc7eaa0cb30004478e2

SHA512
2b201370dd3fbe5765264d78b1a3f826708c13aaf1b6fc814976a29bf3c66620c8833e351b8fcde71d2595981184eba0e41fe95f1cf144fa47c2c4a911bd0a6d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
1bb6a9498cf336a8d9e78c24453ab2eb

SHA1
561a257e912cedd1428d22afaa31493e1725f59c

SHA256
1c1736cdf5d38741b606bd78c784813adf4e39112d5a4d402509047b48c27e45

SHA512
4bb4965cdb3509b5eb71cd7fabd7614a14707225da6ece36d32223634dd7f2000fde731d112f6a27684c0d68c088c8cee9addf866e81388b0db93731ed0762d4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e3a56e17cf07ac67097a6dc58d693e4f

SHA1
d60c7fa7e1463225a27796b1dfbfed434b5d0f46

SHA256
9f94b1e41812695f3cd546b965ad0449e48234567ac286ff9b0ff0c9161ca588

SHA512
4fa8a8dd508d44469445eb68f76f478552ccbcefda3c341bd6b0ce45455b295d85547d824d44f9b3cb12e4ac6d7f4d67bb78f33d4787b0b9b5231b43b612bcba

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
776d0c4617a6ea0ad9e0ad6481812e33

SHA1
51a72981b40019f65108411a34124f9333724599

SHA256
ab4907be98664cc7813f8a36a3b6b98fad8ba8220ec81347164a3d5818ee35c4

SHA512
4a2182659d12aa595decd366fb5593d9e58d9cc45ca9fd3ae206c282beb6797236bb1e1600d7661dae3bada2dd90cb4e8228923049f98ec928fe8d6dfec1ac55

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
583ed96e47e6182cd3a3c85e5ff704a0

SHA1
637cbfbea9485a0789bef1bbd720fb4c1ebd971f

SHA256
5b229240afcc57d5f1f76d60ab8f7721ca5963bd67d7becfb6bb614b1ef9e9b2

SHA512
a32c90229ab334accbd45821613b0cd437d57c203b3d6a021512567691e56793939b65defa0d53470e8355269416c9293c02f8e69715506e0959c75c549421dd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
2b72234ed7b0ed2e657917a5c1152d64

SHA1
0aa09e1b421be2ab9d38586bffe93c318bcb5591

SHA256
d449879cf54e236c25ffcd1ac232a33096407dc4935f9f1d1936dc73510ed667

SHA512
ea7bcd79ad20a4ef0d3980d9c5e426589a8ef5c6f125cd759506e23e6770bba66d7a104c6a65a476c31648813d18d26d4a171664bc9ed428aba24025e9cc5757

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
de304c4cc2a0f6e8d91bdb061c0942a8

SHA1
3d001f54b4447bd07459bde2824d62b7a67bb491

SHA256
100df4622b8f160d476a720438116694b4293d47b433c6f3755d9dd06bc2865d

SHA512
d289834aca801658c391d7a240a40f1be3ce0305d70d6c2304840a12742feda0df0c8c70ea2f76b8f7be3d3cbe96bd834ca19d945c7c908145b5c6e97e5d03f0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2698a09a39e0b09c4396f0807bc815ad

SHA1
1119befcdf7faafaa834e7eeb1fc090e1fbf4398

SHA256
25967b67639b3ec4105ba9977000065667ddc73c42e948b78de7dc2bdbc066c7

SHA512
c15f12b66fc9d0a5b4c5eec6349a9d503cd31373f1850a7d4bf96730a4f95209567c2b76d7aa62423d01716d83a2ce2d7587b79faae5020d98e65d30f3796979

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
41ba61aa99d0a0de73149188826193d5

SHA1
df6c774ea0e02310495553474e22fc6b0b07244a

SHA256
613d81c9103857df53055bfc7f4672d1d0b20258f4673857f3b25bb7955df3c1

SHA512
ea3b9dd0b5f83d76ae05e7157b17d879481f65cebc1cc1cd3b74016a6c1447ad4043092cd37dda71901c44a8eb57588cbf4c5959aa6950a58e2dd5abb8f6bf86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3dc4f3689e8ec40348f49da7de9aa819

SHA1
a252df0c15101c4bc1c82ddb15d5493211c2e1d9

SHA256
a84bcd04dc6089bb8631594ce0834d8edbccbf46e3a9378eab60666a47509c38

SHA512
52e680b1351e57a2acdbc6dab4825f560c0360efde4995ef2650bff778124ffa1d18cb07bc7b1082ba0fce1c5afcf24ca05ee9efaf9e3d51c1e3ea91f38c60a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6b690db082f45413963ceccda8d0c7be

SHA1
90b3091c75161e1009705d8b23a7964e1c4de6a5

SHA256
1da81c042d96bf7c1ee78ff62792c9d98cdcd9fb55b46f0e44a7492aaaf3811e

SHA512
2c0d6559fd97bad74e420eca67a7ad3a34d7d703c2ccaab91ce1fce93497cd5b0d09971d097cb34713f266ca4dc305028fd69b09256dceffbd261c0010c3028f

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8eaa374926c7a8770ed38333e2ceb38a

SHA1
bc0c7cbd5541abda902e3df94ae8055976bd6a3b

SHA256
e06be0681c3051b0ae8add8619fd876c43a21733196ea598f195b0ea811f19ea

SHA512
37e9518764a8c7596e0f7ca2cf69826a1405789ba640ae59a51fbef7a1f760d418f8ff651543d5fd1b807a0a0a632c9850884d86455e5cbca7b628ca81751ebd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1299e677c5109c6708400f8b0e51ed38

SHA1
5d0dc33093bbce56bd8e93c0a795bf1197439812

SHA256
cf4346211416da897bb51da172ffeeb31af9ca72216cdff284ab1f69b574a923

SHA512
325fb427d80de1464410dc4f7dfa57b99237fb46de00d67398d256e61135954d0842ddf7a04eb2416a518ffb68f5afd8874c09634c6b0c31b1493ff1e2bc9e8c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7cc035548c7e88b9fb932da6e4b204af

SHA1
b8b5a99cb9e51ae3ba0351696046a91e18ca80d8

SHA256
9976a49ef2f3dbb0fcdb275b949beb5b8a4a35aed49bb0f88bc00e8dcc35be11

SHA512
0b12694bfc2734c0408685bab12d863af101554286b85bcf7d8a5c2fd36b49524c2221443caa443219e1209eb0f8030c2895750f1baa203b7c9b7eae3c150bc4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
828af0e43043299f1bf3932c3dfa0c6a

SHA1
b3322583305ad381d82809a279bcb1c88d865bcc

SHA256
cb136ce4cc4dcc7e75c3f5ee9b18f7dfa8b5339399c9736097dd44c40f0b2cac

SHA512
37e556c72529d542590f887b37a13b8e74348f6221646ce301686e09c14a670428bd2e65623cd393ee39611d1df1cc3d473a62495aafdc25c63aaefad1c941c7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
30cedc1899c40e004525816ae9cbd171

SHA1
cd71a319e23f86a9752aac0ba6e89bec61de066f

SHA256
0e9337564682e3cb51ae8bd0790f041a8c10de871eafb256676f3027c0dae2ee

SHA512
d4a692abd42444d6e1cca835b70dac42769c267f206143617cec43f10d7016fe717359bd64f726d5b913dde8a00c779c89eef8aa7d084d9b3defbf837a44ba86

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
8b0ccb955f4acb077bd23a021bbb6609

SHA1
979421be77e1274a6fceee4635238c243697f710

SHA256
710a94cdda9a5d74f05456c4bb6b433c702b55fb82c5b35130ba39532b8b9e57

SHA512
6ed4b648a7a5faff711301063510288918512a0cad30d56f583c87e4ff878435bf3c4168bccde794bfc59a4943db27a299ece27cdc95f8ea2921b1377345d462

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
2acc5b4cc059eb37fe2c35744d83a734

SHA1
825d7fd3ee1e124d15dbb3d5edb8cae944fb0d9c

SHA256
f7dfd1f8c8b8f29c1a0c69231f6cdcdd04ca8995592e20bff0b7a440f0cc1636

SHA512
ea1c3bc5c6fe4cbdeb21f7b6cb8a3f8495cbba849f1ece44912df218e20141280d2764bd1c27675ad23cfcc4798b528ebea90e49b6d7425eb919f72981e3fc5f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
6bc8787f649e4a7ef2cae088871ede82

SHA1
7415c25c133d7fa93f7e370b79854bdbd8708bcc

SHA256
354513abfd1fd619451a4e738f63503a10b9c4d0724707f588f87897e4296659

SHA512
c0589e44e1e4516e36f7cf5be46017ad7c16e81e117e1cd085d2fe4841348b6f126f5264cea50dbe833dd342a0aa2b2c3f312ba3e44d616b9762d2341f8e02c4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
9519a26070f5b360a52a110c48ff6204

SHA1
baf0e9c86ae812e8b5cb2bd418365b53a1b9735d

SHA256
8cc4363434f225318915ded974b10c7c6af46f4573d78abb8b4abb56ce7c9d44

SHA512
33fa8e77e8e68e1cb58af89f4d1ffc936cc64b8548a1364bbcfe198548ba0f184c35407910644d26a520f96462552d738836df9dd6a12b66031837c9d7cb635b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a9176d53468513900eb8f702e4836d46

SHA1
f4da96a131c3464321c46b84ff2ec739ac726390

SHA256
0245c0bfa4cc37734ea23b80811aa5c80fd86aa14c4bb8d7bebec736f6ec2f1a

SHA512
32d921379a066fd087bea6d072345b51089f3ef65bb7f2936d4a72d0433a99c5221db69154f10c7c65a66045c90ec39792c1840f6158331d91114cbdc5af1cbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ad8f72639c6536e4c516e28026fb1757

SHA1
2edb8cb74f6dfe67aaa82bec64699b7e33322b5e

SHA256
c370a322688c907b1cf9ce7e743c826514fed8ba8546abf74ca8c7e8a49133f2

SHA512
8dff1c9eae64f7ea51217bfa321a9715970258e41a0310b78633f8612a202c90194bef6d51b7e1542913d1d4002a100a9faf23f687ebf237d589de075c34475e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
88dc6a574221f4f420276a332ee051f7

SHA1
8d5ef8f242618c9bcdc1854180e72544d73c3ec1

SHA256
c0516151382cb66b53c002d67bc49c1f91adc52dc761c5ff2720f157baacabf1

SHA512
98db336acf11bec018f80c79f41966b1c033efb02126b723f28c715af2d9374943cd0b1a627d9eaac4135e3edec5f6cba07c53ee23ea0fb904e27d9b8fec8085

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
38cdbf34986f6e1254c212aa005b20c4

SHA1
aab8637735f6dca94c424b0a86d22b0f76166ac6

SHA256
e7e29a620fd67e9ed9d8b29f56a8280fb9df983ddca66b754adff1270df88300

SHA512
b14e531b176fee76bc7f6a9ccbfdda6f853f7fd006517c8d50def67a118af14e09d3b42eb3fb13038d960441ead8ca20198e79fb60d7eae397ff07fce0cf266d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b72a18f804e5b9de1707c0476913d1db

SHA1
39190155af45f82c7c9ad1f33439ec358ebf1e3b

SHA256
0ec2ca44836415a196bd9b16d6634f1eac28783767f999c4bd93def1ac636e35

SHA512
d3084227c417be5bdce41107ef57fdc48795c5d45f4df8f15a46d2a22a675c7403751afa7899b89f9519acd202da433c513a08d5fc177534a9db79698e5ce7ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
799bae25159fed1e2dace97b48053b5c

SHA1
580cdae75a630f35162ee9f018e36e8d10fd2080

SHA256
a66544a0ac043382a26900afbd04ab9e807073881bde2a0a4aa20e6117e40fdb

SHA512
73f55f6d1364529dc6e1bfa752dbea589f2cbca58b572bfcc62296abbcae25d148aa4e35d758712b88f5730840cca298d6a81b23af7e871d32f309f790492412

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
14c02d74cdc482ae5107341618f331ce

SHA1
0dd2c6e0265b36e462651dbb303a50efea504ee8

SHA256
748bd45a02d5f0026a1f77c2c3a80623fa17802fee506034339227697b1dac28

SHA512
bff131147d769928b87c9eb873d585bf1c66d53088cd5d3b17f0635ebbf7edbd29db664f48337f05b9b1b9c196651ac1421f25875b359b8f902a2597bf884e71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0d727a7487f1f12289292f371228ef48

SHA1
544fb2fef3bee91bc5eea7e56f45341450d8cd37

SHA256
f92dc85956287b9718d31572b8b19fa99d73cc064920a539a30c6ff7711d62e3

SHA512
14734502ad8aee047ffd3cb1136c6c909db4dee893f2f25c9dbfa16be48708ce9c7dfbdbadf131e8b89dd23912b3558fe31d1fc7be0f283ab0df579b0402cefc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
282f62475e28cb625b1f80014b7661b4

SHA1
a831d12dd8d37fe3752ba9240433eda30b6e7112

SHA256
ae5d2e1169a165a0ac6b303c87e0a7a3c1627d0420f4839f2bce483f16b062ed

SHA512
3f6d0ec775b3c0630d58d19f94a16bfd6a4409bd012625f970f5931f6dde3c04f17a58cb14038b0ca29335784472b76380fa455c492dc1a22a80b05268cba107

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c08f44537b66c7cc1a8c5cbba396d681

SHA1
eb26001519434c2af7aa1fc73944b2b47336afce

SHA256
8866a5729ad1ec8634f0d7df6a0ed02a167ec0898055a7a6ee76c9b3b5a05f23

SHA512
244c5ae41b9d63a382f900612846f4c50074435aa26deffa78fdc9eba0e932f3e510582394a5a40156c1b62eb918a8076994aadbf5d34cee50032c7e70fa803d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
fb528f20c3d653340397a4aca2e6522a

SHA1
a4c9de8b682d4cdbafd9cebe5109f8a0d998c441

SHA256
13ec7125f291042e3384c471d5d6fffcc244ab60acba1d51fdc7bc9cb17549a6

SHA512
f0f23be2f1e5ae1996263c5fc4e0ae8eacf16c8b9e83cba0efadbb8000accd197f67f3800685c295e7d3335ca25f8cf5bb8eaf4685335168a9b1b20424cdf6d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
14c290c7993d73e5dd1a65d0b4ad29f7

SHA1
d587176e58687dfdf89101043061a2ebfc84f959

SHA256
af7a23a6f8ef282ca007db00908ca7ac51ba559f9d8b38d453942fd74aeeb1ea

SHA512
e5c823c2353d6190101ab2278947de53919929f21f285d1da5ae323111030d7d7e03b261e17596b54ff250cd032200606571223f745495edd608c4ea416085d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
abe80f049f177ab33bc307d3683780fd

SHA1
9ecc83bef3a0d243405f7c1135634bb59bd144fd

SHA256
e7415a4b1fa90c992f56cde04f7fcdd825e3bbe999a64bb56763b58089c0c229

SHA512
63de804b95a14287941a3878b72d3afbb6951fea6aaf49fc2e990e207e6220fede33d0d6117869bf265d6731af2da052cc2c5a9b8117e5a97b40922297e21553

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d3cc60dbb84abafddc7d50bb3e599249

SHA1
b2e5f1eb6b7470cabf67d19938f7b3f7003acc3d

SHA256
688c9569a336b20595db14a91df7baf6cf06a2f3a9bf33a4e1739322736a7797

SHA512
dc147aa89fdd69ded0c0ec5f68125fb233d6cf5d5c64ab930e422f72549ed88e9af6607ffd9ab6b2cd7db4a315832a5f47734eb3dad848eb561e865b3cbd1379

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
198d5726f5ce6739d29f4ce42e910506

SHA1
c1fb44c240f434b9a85fe571bf838392fbfb0bb8

SHA256
c94506e28bf3d796a202f1ec26602bd74368a88e60e7e73331a103308d8fe355

SHA512
e5e0f0d185d82fff74be74018845111d3fd61a304a995e0acadcd06105c43996fe5f0a8237256b9e9194be3d1ee18f9d4769645acfe1a606151acf8ea4310037

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
a9e841328ae2416ce439ab34c4d6cc84

SHA1
92cc2290908fdc9030c5e6e3722fa765af8a168c

SHA256
97493b26fbf46e6810dd3d5f72f89ddb6a1f46f22a56d752b9c96176393f7922

SHA512
c8122c5e625a5e19ce1ca2912873984ad5487a23e6f7f7901a6fdb8181c954b0c60942f8ed3d727e8e0052b0132fdef80366afdae8b6aa62a81109a567dbaca4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
96193f16a316597fe78c85f852ab4ad9

SHA1
0cdfc380f001840a5aee6cf975431372308039ba

SHA256
f2866686d55bc700a15b1fd8ff5a84d48c052d341ebba3a1d05ae1e595fac094

SHA512
edf249c3ad3fe0744af0db8c038927e84ee15094bf6f6691e44d6aebe74e5e548fc46d9e5ddb78024657c312aa0b7d03db8a3087e3bb1ad827282b90f154e90a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
c8308a2ef3d2a66e4377c4251d1fadf3

SHA1
e3526e390fdb1ea6e96951f55f0b93fcb8a4155a

SHA256
2b95df015d22f0fe7b737889fecd703f9fd1481442e7e5e554201828dc9c22f2

SHA512
cb2f23c3087abce017ea4cba974c01d8400d661004ec5d4da97598359ac31911b2091920dd71d0c48984f510a83645dc74fd1191c979c6324be0aafdbd4e99a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
896B

MD5
fa59b35f7fcd269f1198e662c113fccf

SHA1
77230cca1ebb7dadafb04efd4d97de7fea210ba9

SHA256
7dd22e895263f9b2d8aa95194ccacaf46483e4a3c608a59b6f7f94fdae776c26

SHA512
bf703808eaaffe6dcd2a44c11b128a6ff815ebcff1e0557c1b0063bb2f6f8d04bf5420200ecb790bac4ac79eef28c3930eb7581ff0517e8bd8124ef102d367b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
00e5f72258e6c602e6841bbf4c30b136

SHA1
52dbdf9eada5d7b0e015fd3523cca5cb915c23c2

SHA256
905a454fcb15e9f2a469a9a7e6e42b8c6425d20b33a59be5b84818daae964807

SHA512
50f0f286680fd33c29956455ca7e2d293402f369bd2e9079e45930853f1feb6e86208e1c8762d26dfc6f7e742044e912a4efded9a55ddfddaa454297cedc60c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
164KB

MD5
d23e98c9faab134ee259ac21ac6d6a1c

SHA1
c3d336a84f2fec3befa3ee635d5b4be4ce149595

SHA256
246c14b0cdbe28e64ac0b22c386575de1ca7784d44990428bd93b37ef52ed7c9

SHA512
9e13a243771437f10419d078b3f772cb1c5ba15cfc38a56565b396d265f309a2f337c37209b7239b86abd14a23354f45f43ab7f4f672b6465204e220606055da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
e0ccb50808b2dcf2f5c3023c452d50b6

SHA1
310b0581f07a7d624839ec7d5f1555da6b3b9ea2

SHA256
2757aef2904e4d3089be409830be49f352a76be44aac6180a4e4331ef9b21249

SHA512
b014cbf078bfe2cafd5341172d13b30c134da745404eb3ead8ff2c6c1919799a30445a21a7e805c1f64db191ae7af7632418b49367f1a286b010d6c9d4812690

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
227282da4b5bac2383ec81ea06e0b714

SHA1
3f44ef750a3e837dbb52f58099797144fcdd4cc0

SHA256
10ceb85ea5434c37426defeff611232125f2093934636d3f6e6b5e06444d105f

SHA512
e615aaf95c34d5cf000326e1e66450ae40a842b467c227da63d2b44f9fc236e704b9790c9a5a7139bf96bcfa80fd4b312d153059460418564813dc6c6ec56c10

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2aa4b32c93d304f2921263135a9c9a74

SHA1
51ae42d116f5455ca87a7bf23d9bed463facce1f

SHA256
ec08497a5d20cfbacd22317ae3c36d3765d2cfd67c0528f78620838beb665978

SHA512
3daaee9591ccf0c28e3f64fd528d48a4578e3fdb0b2f28b0145ebb0c681b6a4a30b0e5ca9bd108a103f2835ec71b7b17d6e0fa98aaf8e1acf81b721b9445a6fb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c5c16c5711355841e5a838f1bad468fb

SHA1
779f6019ddd3bfcfd77e4002e31615ee9a7ebcb7

SHA256
f976c9f42199434efd3a083cb31faa731c5067a843f94d4608473c618ff661e0

SHA512
59812bfa98f2b50a391f096d0deee6816c8d94d5cccbcdde7d5a5fa626d1d4eb96bf4ce9033d1b4481749f327a1107449be81568d34e106b8f8ee3cb28595c1d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
1b8c7559a280b1882592ec5e3f800235

SHA1
6860bf46376fe4aeb183daf70dc2e1b60788fc41

SHA256
e8755dd4533b0e7170cf0ecc2888a58a11713e2a5da2e2618f4f2178f3ea6b40

SHA512
6720fc3f98b7bf2a408b9e92add448ab2edc2915cfe37218508f33291cfa4e7e35eee3fbce50d7b30bb6ebe3b5c8ab6605bf3ba882d1115d2f7383b0895be4ae

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d72469c0edcb481a17d8e04eebce78e4

SHA1
676297691d2060bec029eefb58f888fe0ca43f1d

SHA256
3de59cd9aaa9cdaf1642d0177d5b03e03b3c4c1b14e41f669f5d51acbfd061aa

SHA512
1ec77dd6ed32ec4eb75a35f42295770c31000582f3b378aa3de3ffb5b1fa737ac1ed098cc800f7e8799c4f68140214ad2be140554246930e15d67bd352f5089a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2402a7e8c0fb316c2030dae29936285b

SHA1
f6c60485a275bdb5c2e5428548954f4769f98273

SHA256
c04b7ac658be6de41c392f627b3ea18179a355743e089286703dcd7ad1e21684

SHA512
b6cd387c568fb8aa053003ed2ea8593c52bea36ae874a09eda5271665591109cdc83d0fcfae21963a7dd798a6fafe28acfdc965a9562b92d215e953bf0fec970

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
2c6cd44cca15b52da4d25b850ad43785

SHA1
089d2761f9b851f722732e7022468ef5b5b7030c

SHA256
1926d02b4b18b53a2ca80806a27e9ca82c5975c953ffe5d8240b2ef3bdfb7766

SHA512
7479f78e4bce9b080e95c76d3596564d1dcdcaec87b0c29e857cc06abd122a804afa21629fdca300193622f21fa6be395134b79f5a531d0030a81e0e88fd9562

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9a2a797df1810245f07918a1db1b64aa

SHA1
d2ddc381b8b9a742c0cda46a397fd0331a4cc6e9

SHA256
f99ed8a95cee0eb29f438a577b280337d0786a4d27ef3edb48caab928021e635

SHA512
398ea62a11b6686fb199b7457d701ed24b824efd277369a21afc6866004e1b7165faf0ae3b350b9b16861878036edc49becc615069f78dfa5d9da4350b56dde3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ee0136791e93673a5936b301adc217cc

SHA1
38bda88a3189885bdd889b9e1e6f968e3a58799d

SHA256
18361a8b59eb6f4a8bafe753e9742e86516a24c38c180e4e7bcdb5b0c0f79b8b

SHA512
2e0c247a2977517f93dba47443e627e6b292d2ad02304942c93ce4884c0e481534cef56fb96fad69c133ce323d348046536bc8845fd72f1e5ecf9daaf44c7cdd

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7cd8d07427bc0eff41464f1abd577fd6

SHA1
dfd458ed293256c04c67a2fbbd693605a00a3f5e

SHA256
cc6754454b29561fae139537e32dbbcc50380549a0fe41124e565aec4fa95baf

SHA512
0b5e7b45e654fc248ec87f050c8ad16d67c9a3514f009ed9584c915bfbdbce5f977b3239d46cd9d4aad051c920ea1a8858840fbba45f449b47c5a0ede3222310

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
79c8563dd9a460743b02f9f1a7386353

SHA1
723ea551edcd7df6442ed7f49f0a8aba58569246

SHA256
d2b5e3e4cfd398e406884bed83e96dd1b635e6caaf874462e6cfbbf282caddc8

SHA512
46bd48b16bfac3b90981961081378b80d4ff44427c7a2b38546a8ecb13b83d9fe63068f74f295efd561e8d42afe1453f3824dfdf7830b8d68348e472de2da33c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
126f393188625d789ce603b7a0727ff7

SHA1
0027953273b9e0fe95a601f4097b3f8a730c0c81

SHA256
957ec79cfc4a9e6af79dc8d7427fb9925c1c2172ae4188cfd2abca596591b0f5

SHA512
6380cbf7431719c00fa44c51a64828cdfc7689cd10b3b160e27287ae27254e400228afe5df3f22fa430f9bb41f884bf6835ce66677fe1bba8668c916bc42c10b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
bda89a190d7d4b27eecb5f84ed989ec5

SHA1
f05fafa62fe2a8d2b79792654decc68c4ad7c2b9

SHA256
663270e551bc4f0395c07e264951b853f3a33f0e3e3e56f15914e2c67b137f7b

SHA512
314b26bac0d2b08d890e177f503004800703a89e72113a672765e8ad05bde329e898f0d70f895bda3633e4828066a7df9f5532b0f507ccf85a623d1f02f811d3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0c0ab0943c614b323384d54d5201b33f

SHA1
b851db5a9f546f412f71afaf4eea8e929b43f544

SHA256
713417dc28ab6b5d8f8d5ab94168864361d6334f4f5b35af9e043c320b9dd7a9

SHA512
9492c990fbc240cd33b74009417ccfa99ad6d181ff3361bedf7aa5ef226e5fcf300f9827c0db6237bfa876c36d6a79962e556fd3d094efac477af759e936dd50

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
76e7a2cbaae65de0cbe7e0ba3ec17fed

SHA1
66eef871dda2840a8013ab4abd2546216871797f

SHA256
8f79bf05fe1339e777cd4ac45168235983f84ded9ff8f0c6ef38ae021b11cced

SHA512
b5ee38d5b72d467ac7e2b44d2c7ce14360e125ab9456129b8e8bf1b0ba865b2d81ffc8781cb8be8dd60af9570582578597e94d93b74f422d445c8a4edcbac836

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6e4d159661822b1fca16953d9295c347

SHA1
c3c69f8cec92ffc4a17c4f4243d733d8c1206236

SHA256
074c8b17ba68ab598a774158d218d5dfe5260899b4e7e957034bf83af64283cc

SHA512
3cb7a92f88399c7ba980ccf4f6b32cf55cd89493bfa4e3abd7c05e1f51b1af8f972eaf7ae59ca13b61a4092bf11286adfad24b6abc45e81f7fc2a769495ddadb

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
aff656ed3c8787f3b761b1447680cda0

SHA1
852c40aae5116bb87f113c80c28a0c3198dad1b9

SHA256
a8e8e8645d7cc2b5dfb902534f7f4a31e37ea4c54b9782a20442c7ea8ec02c94

SHA512
7b2a93a69a2a76344a2c12d55da47c63916f24bec7fba3e89e7b09d738555bd0b354da24735d889001617ccac972dfeaa7718625107163766ccb4b291b618b39

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cca680a7fa10d7b2652fac2d50a38f08

SHA1
7745e6b5a02f68f1c3f3b915af2decd10598bf64

SHA256
b7d5852d1f4eb5ef15333ae6b20462e76e801870529c1ceb4fb644054ef8aba5

SHA512
0d2f250230935cb2358b2c890417a7bdb60b7c83b7b2eec3f7213d834d876455dbaf7a7db041c10a6992655bea60375ed4cd0420c2b9c9064ec105c672f34adc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d9d54b1a995d036d919ba5bef73388cf

SHA1
9a3cffec91f8eb9927bf308915fa3fbb62a866bd

SHA256
c027455d4276dd58ceb1d32202fd3493d663a71c045c1e54a3ecc1561e04a1f8

SHA512
a081db18158f5e7672d1ce486480f16bf264a300aab5c30ab30fe75004bdf91ff9637d3ba1811b7b822cc521aaba5e6ac7422749521ceb757bd572c640c4d8de

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
b365ceb4a4daad71ba3a0526ccc18dac

SHA1
d7b674a60277eab43e868c10c49b386cfd19f138

SHA256
6ce523699a4771917e70499410bc6236dabb333f624954b3cc7a938c869a1733

SHA512
4040016e9b8082f99d4d1451c8b000202b9488c61b619e5564c2e41f02d7af6dbf8fc4dd9b16b9af2fa59a845c1e8a43e250bb864967b88aec15e943122c9671

Download Submit
memory/64-561-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/64-172-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/828-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/828-941-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/944-157-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1476-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1476-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1476-171-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1476-18-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1476-30-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1552-135-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1552-144-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1880-580-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1880-179-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2384-854-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2384-558-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2388-37-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2388-396-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2388-43-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2388-47-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2388-44-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2436-871-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2436-562-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3088-508-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3088-833-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3144-614-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3144-940-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3244-1-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/3244-6-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/3244-7-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/3244-0-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/3244-143-0x0000000000400000-0x00000000005BB000-memory.dmp

Filesize
1.7MB

Download
memory/3684-69-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3684-74-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3684-76-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3684-469-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3832-123-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3832-125-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3832-117-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3832-129-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/3832-131-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3876-603-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3876-397-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4296-535-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4296-529-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4308-598-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4308-907-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4312-113-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4312-57-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4312-64-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4312-58-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4312-115-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4448-108-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4448-493-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4448-112-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4448-102-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4696-716-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4696-440-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4700-494-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4700-814-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4944-631-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4944-890-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4944-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5008-470-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5008-795-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download