d00f0f3177144d12e243e18c44690c3a6ac62923bc0344ecd6f69a729f4efdda

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2022, 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Daniel 22Khz MLG voice.exe
Size

89.8MB
MD5

e482ebadb6bbf1f5d69bf6d1e6e12008
SHA1

0aee3d19ab94a3ca15f6406dcada0fbe5d281ad5
SHA256

d00f0f3177144d12e243e18c44690c3a6ac62923bc0344ecd6f69a729f4efdda
SHA512

f36f08f0625f40a53a8c5b4e3f9a77f8e873f9e8db84b6c2e8ba6febae503a7bb1546fb6e62cc9df67e205a00ea119b72ee72da1844a8ce125bec01ea45464ee
SSDEEP

1572864:FziL1l5ZNspxolotkEq1JIxsWGsZIodnFbA4lenCrpXzHL3fjacSsd7AzkbOMAr:FzixjIoEx+UnF+C5bIQ6p

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
5332	MsiExec.exe
5332	MsiExec.exe
5332	MsiExec.exe
5332	MsiExec.exe
5332	MsiExec.exe
5332	MsiExec.exe
5332	MsiExec.exe
5332	MsiExec.exe
5496	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\F:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Program Files directory 48 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\data\us_daniel_full.dat	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\synthesizer\rssolo_synth_155mrf22.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\ScanSoftReadme.txt	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\combrk.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\synthesizer\synth_112mrf16.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\comsyssvc.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\common\rssolo_dcteg.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\rssoloapi.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\synthesizer\synth_83swf11.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\rssolo_stdpp_eng.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\synthesizer\rssolo_synth_83swf11.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\audioout.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\realspeaksolo.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\ssftrssolo.ocx	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\data\daniel.dat	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\rssolo_vf_daniel_full.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\rssolo_g2p_eng.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\edct.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\ttsengine.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\xlit\xlit_1252.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\rs_sapi5_solo.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\common\rssolo_audiofetch.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\common\rssolo_audioout.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\sapi5_conv_eng.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\comrsrc.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\g2p\g2p_eng.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\synthesizer\synth_155mrf22.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\common\rssolo_xlit_1252.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\common\rssolo_xcoder.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\data\vf_daniel_full_155mrf22_270_06.dat	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\conv\sapi5_conv_eng.dat	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\licenseAgreement.rtf	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\dcteg.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\xcoder.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\rssolo_vf_daniel_full_155mrf22_270_06.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\rssolo_eng.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\rssolo_xlit_eng.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\pp\stdpp_eng.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\common\rssolo_comsyssvc.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\common\rssolo_ttsengine.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\rssolo_empp_eng.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\synthesizer\rssolo_synth_112mrf16.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\pp\empp_eng.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\audiofetch.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\common\rssolo_edct.hdr	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\swisolo.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\components\voicefont\vf_daniel_full.dll	msiexec.exe
File created	C:\Program Files (x86)\NextUp-ScanSoft\speech\rssolov4\eng\rssolo_us_daniel_full_155mrf22_06.hdr	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E77.tmp	msiexec.exe
File created	C:\Windows\Installer\e5776e7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI891A.tmp	msiexec.exe
File created	C:\Windows\Downloaded Installations\{952F792A-172C-4F2F-88F7-C002F916C583}\NextUp-ScanSoft Daniel British Voice.msi	Daniel 22Khz MLG voice.exe
File opened for modification	C:\Windows\Installer\e5776e5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7F14.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI862B.tmp	msiexec.exe
File created	C:\Windows\Installer\e5776e5.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BE916006-E144-44CF-B467-F733D0F86200}	msiexec.exe
File opened for modification	C:\Windows\Downloaded Installations\{952F792A-172C-4F2F-88F7-C002F916C583}\NextUp-ScanSoft Daniel British Voice.msi	Daniel 22Khz MLG voice.exe
File opened for modification	C:\Windows\Installer\MSI82DE.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\PackageCode = "A297F259C271F2F4887F0C209F615C38"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6FEF776A-4CC5-11D4-9521-0000F8092E73}\1.0\0	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAC6785B-655E-4AE1-A656-BDEFD18DC46C}\InprocServer32\ = "C:\\Program Files (x86)\\NextUp-ScanSoft\\speech\\components\\common\\rs_sapi5_solo.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\MiscStatus\ = "0"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FEF776C-4CC5-11D4-9521-0000F8092E73}\ = "_DSsftRSSoloEvents"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776C-4CC5-11D4-9521-0000F8092E73}\TypeLib\ = "{6FEF776A-4CC5-11D4-9521-0000F8092E73}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{40FC6ED3-2438-11CF-A3DB-080036F12502}\409 = "Insertable"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6FEF776A-4CC5-11D4-9521-0000F8092E73}\1.0\0\win32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776E-4CC5-11D4-9521-0000F8092E73}\ = "RealSpeak Solo ActiveX Property Page"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776C-4CC5-11D4-9521-0000F8092E73}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\600619EB441EFC444B767F330D8F2600	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CAC6785B-655E-4AE1-A656-BDEFD18DC46C}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CAC6785B-655E-4AE1-A656-BDEFD18DC46C}\TypeLib\ = "{4194F4C8-52A2-41f6-98B6-E10323A67B39}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0DE86A58-2BAA-11CF-A229-00AA003D7352}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\SourceList\PackageName = "NextUp-ScanSoft Daniel British Voice.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A0F31C92BCFECA34F9DD4BBA7AB8DB78\600619EB441EFC444B767F330D8F2600	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\ = "ScanSoft RealSpeak Solo ActiveX Control"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776E-4CC5-11D4-9521-0000F8092E73}\InprocServer32\ = "C:\\PROGRA~2\\NEXTUP~1\\speech\\COMPON~1\\common\\SSFTRS~1.OCX"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776E-4CC5-11D4-9521-0000F8092E73}\InprocServer32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\SourceList\Net\1 = "C:\\Windows\\Downloaded Installations\\{952F792A-172C-4F2F-88F7-C002F916C583}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\TypeLib	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\Version = "67108864"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A0F31C92BCFECA34F9DD4BBA7AB8DB78	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}\ = "_DSsftRSSolo"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}\ = "_DSsftRSSolo"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FEF776C-4CC5-11D4-9521-0000F8092E73}\TypeLib\Version = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\ProgID\ = "SsftRSSoloA.SsftRSSoloCtrl.1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SsftRSSoloA.SsftRSSoloCtrl.1	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\Version\ = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\600619EB441EFC444B767F330D8F2600\AlwaysInstall	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6FEF776A-4CC5-11D4-9521-0000F8092E73}\1.0	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6FEF776A-4CC5-11D4-9521-0000F8092E73}\1.0\FLAGS\ = "2"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776B-4CC5-11D4-9521-0000F8092E73}\TypeLib\ = "{6FEF776A-4CC5-11D4-9521-0000F8092E73}"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CAC6785B-655E-4AE1-A656-BDEFD18DC46C}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FEF776C-4CC5-11D4-9521-0000F8092E73}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6FEF776C-4CC5-11D4-9521-0000F8092E73}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\Version	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600619EB441EFC444B767F330D8F2600	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776C-4CC5-11D4-9521-0000F8092E73}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6FEF776C-4CC5-11D4-9521-0000F8092E73}	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6FEF776D-4CC5-11D4-9521-0000F8092E73}\ToolboxBitmap32	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5492	msedge.exe
5492	msedge.exe
3188	msiexec.exe
3188	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4608	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4608	MSIEXEC.EXE
Token: SeSecurityPrivilege	3188	msiexec.exe
Token: SeCreateTokenPrivilege	4608	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	4608	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	4608	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4608	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	4608	MSIEXEC.EXE
Token: SeTcbPrivilege	4608	MSIEXEC.EXE
Token: SeSecurityPrivilege	4608	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	4608	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	4608	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	4608	MSIEXEC.EXE
Token: SeSystemtimePrivilege	4608	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	4608	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	4608	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	4608	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	4608	MSIEXEC.EXE
Token: SeBackupPrivilege	4608	MSIEXEC.EXE
Token: SeRestorePrivilege	4608	MSIEXEC.EXE
Token: SeShutdownPrivilege	4608	MSIEXEC.EXE
Token: SeDebugPrivilege	4608	MSIEXEC.EXE
Token: SeAuditPrivilege	4608	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	4608	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	4608	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	4608	MSIEXEC.EXE
Token: SeUndockPrivilege	4608	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	4608	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	4608	MSIEXEC.EXE
Token: SeManageVolumePrivilege	4608	MSIEXEC.EXE
Token: SeImpersonatePrivilege	4608	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	4608	MSIEXEC.EXE
Token: SeBackupPrivilege	1884	vssvc.exe
Token: SeRestorePrivilege	1884	vssvc.exe
Token: SeAuditPrivilege	1884	vssvc.exe
Token: SeBackupPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe
Token: SeTakeOwnershipPrivilege	3188	msiexec.exe
Token: SeRestorePrivilege	3188	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4608	MSIEXEC.EXE
1324	msedge.exe
4608	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4608	4940	Daniel 22Khz MLG voice.exe	90
PID 4940 wrote to memory of 4608	4940	Daniel 22Khz MLG voice.exe	90
PID 4940 wrote to memory of 4608	4940	Daniel 22Khz MLG voice.exe	90
PID 1324 wrote to memory of 5140	1324	msedge.exe	111
PID 1324 wrote to memory of 5140	1324	msedge.exe	111
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5460	1324	msedge.exe	112
PID 1324 wrote to memory of 5492	1324	msedge.exe	113
PID 1324 wrote to memory of 5492	1324	msedge.exe	113
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114
PID 1324 wrote to memory of 5560	1324	msedge.exe	114

C:\Users\Admin\AppData\Local\Temp\Daniel 22Khz MLG voice.exe
"C:\Users\Admin\AppData\Local\Temp\Daniel 22Khz MLG voice.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Windows\SysWOW64\MSIEXEC.EXE
  MSIEXEC.EXE /i "C:\Windows\Downloaded Installations\{952F792A-172C-4F2F-88F7-C002F916C583}\NextUp-ScanSoft Daniel British Voice.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4608

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:6096
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 62428A81E83815A188D24E1CC1BD1E40
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5332
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 031317F57FA4540A4B420105F52BA402 C
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:5496
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\NextUp-ScanSoft\ScanSoftReadme.txt
    3⤵
    PID:5360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault483b3bd8h3492h4317hbf84h6bc2d6f4a81a
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffd744746f8,0x7ffd74474708,0x7ffd74474718
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,10977108927222361827,12753792932796715492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,10977108927222361827,12753792932796715492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,10977108927222361827,12753792932796715492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:5560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault691786c0hcfa3h4520hbbaehb7247f9ae2a5
1⤵
PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd744746f8,0x7ffd74474708,0x7ffd74474718
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,6254756417102410137,3638741830569171651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,6254756417102410137,3638741830569171651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,6254756417102410137,3638741830569171651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:3172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\NextUp-ScanSoft\ScanSoftReadme.txt

Filesize
396B

MD5
4c0e475a91400195cc3c8f4de9cd5b20

SHA1
69ecc4b576e227b83d42c4a667355013e426846d

SHA256
9c9b395f8e24763fe75fe42c91d1cbed32909ba2b06ef1126ce1dd770b5dbe4b

SHA512
0f203ee91bb02980c52abe48ff679955c6669c520715e928c859aeab1a59d23dac4e1899aa3bd80de791731a19600a62cd2a45681e47290d438ba5fe5a87dcb0

Download Submit
C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\ssftrssolo.ocx

Filesize
316KB

MD5
325e698c280d89109fc6d126e21a791f

SHA1
81c513fb1622344faee962d32583e0733aff7139

SHA256
757c2f5c859c6162e27e7d5dd4186329fd185bc2b5e79f678c5061544ba9b437

SHA512
7bc40dcfac4444ed5dd2b9fc1d858859cf20ad3dc33f84558509a843309b8fa88729c1d7a111f2aa41f1a1beef338648553dfa71cfeeb17b46b724e04a434a08

Download Submit
C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\ssftrssolo.ocx

Filesize
316KB

MD5
325e698c280d89109fc6d126e21a791f

SHA1
81c513fb1622344faee962d32583e0733aff7139

SHA256
757c2f5c859c6162e27e7d5dd4186329fd185bc2b5e79f678c5061544ba9b437

SHA512
7bc40dcfac4444ed5dd2b9fc1d858859cf20ad3dc33f84558509a843309b8fa88729c1d7a111f2aa41f1a1beef338648553dfa71cfeeb17b46b724e04a434a08

Download Submit
C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\ssftrssolo.ocx

Filesize
316KB

MD5
325e698c280d89109fc6d126e21a791f

SHA1
81c513fb1622344faee962d32583e0733aff7139

SHA256
757c2f5c859c6162e27e7d5dd4186329fd185bc2b5e79f678c5061544ba9b437

SHA512
7bc40dcfac4444ed5dd2b9fc1d858859cf20ad3dc33f84558509a843309b8fa88729c1d7a111f2aa41f1a1beef338648553dfa71cfeeb17b46b724e04a434a08

Download Submit
C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\ssftrssolo.ocx

Filesize
316KB

MD5
325e698c280d89109fc6d126e21a791f

SHA1
81c513fb1622344faee962d32583e0733aff7139

SHA256
757c2f5c859c6162e27e7d5dd4186329fd185bc2b5e79f678c5061544ba9b437

SHA512
7bc40dcfac4444ed5dd2b9fc1d858859cf20ad3dc33f84558509a843309b8fa88729c1d7a111f2aa41f1a1beef338648553dfa71cfeeb17b46b724e04a434a08

Download Submit
C:\Program Files (x86)\NextUp-ScanSoft\speech\components\common\ssftrssolo.ocx

Filesize
316KB

MD5
325e698c280d89109fc6d126e21a791f

SHA1
81c513fb1622344faee962d32583e0733aff7139

SHA256
757c2f5c859c6162e27e7d5dd4186329fd185bc2b5e79f678c5061544ba9b437

SHA512
7bc40dcfac4444ed5dd2b9fc1d858859cf20ad3dc33f84558509a843309b8fa88729c1d7a111f2aa41f1a1beef338648553dfa71cfeeb17b46b724e04a434a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6102471af38b45f30decc8db2f59a8e2

SHA1
35428c52f58b3a35d5028929b6298d6b95d6bdec

SHA256
57e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4

SHA512
1040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
3KB

MD5
e34eebee15c9a7237cb6e5f774fa7cc5

SHA1
de7996a9aa01efe275624215190da9d9635c558a

SHA256
7ad244d79814f423408b40bf2838539b80a1ae54e76846900f66381c27f08295

SHA512
963538b912e8c7e69c211c7c35b814286c4f3ba535d74a56930267ac3871c01c07e98daac1464dd6ebf5a5bc2526a9a11fa53da6a4cbad0f3d00ed5c48281de6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
2e37b83544e5467ff7ac706a86fb6937

SHA1
b5531422f200029477aa1ac8766cc4d2ee8b5893

SHA256
767b850425dc2c37370d3ff157b3343b12a1d631a04c0a024cc6537126a2c606

SHA512
fadc54c48024d28afbf076c5e42bc5f9630316e030275551b4c28bda5c876ceb11a659354cb374c06e78e8c507009f545f177a8adbd3676cd72b90423e2d10bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
572b46e230491cac4ccecc7213a22d32

SHA1
31a10f60e718e1b5c4a1f97130d4003903a3cb94

SHA256
c8c7f5d13dd954dd7a1ca63575a2fc4cd06bceb0f0e5a5ab1c704300fc99107b

SHA512
53d4b656dff2a5c94f83eb9aa9eaf5943e0042380fa04d90b8d4f4ce99fd37a4f5cbc20bf216a2167ebd3aa103af77c09276262964edf3c7422482fe013e2c79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
91654a32107615ae5f80e25ecc198908

SHA1
5d6c60bb0c8170fa9c80bc340c06454fffd99734

SHA256
5a51b6b3a193550dcb2faf82ed6eb81152ac75c2b715b90033ab7e6853657502

SHA512
a221764eead8f92273a7d5687dbd631f40a106e905cb787489f8ba39e0bdf894c50971cd708cb4ddd4111e962e4862f10e7e9e1a1a03a8224c2b8cff2c98892d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA299.tmp

Filesize
48KB

MD5
49e11a1a947a4377dec76b88121ed36f

SHA1
966f863e9b03ad8511e89728fb7fee424edc8df7

SHA256
7edd4a606a2b9473e2e7ceeacfc0e9d58527c5b18900ef6da764afbd3cc013cd

SHA512
360a87008f90a8c1269f895a557d840e05e98d1e89066adb5c82bb32f2876bd16b8d5bd106ed0ad9fd68f17aead1688119d5fcd6b02fac3554219ac3f6744ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA299.tmp

Filesize
48KB

MD5
49e11a1a947a4377dec76b88121ed36f

SHA1
966f863e9b03ad8511e89728fb7fee424edc8df7

SHA256
7edd4a606a2b9473e2e7ceeacfc0e9d58527c5b18900ef6da764afbd3cc013cd

SHA512
360a87008f90a8c1269f895a557d840e05e98d1e89066adb5c82bb32f2876bd16b8d5bd106ed0ad9fd68f17aead1688119d5fcd6b02fac3554219ac3f6744ac6

Download Submit
C:\Windows\Downloaded Installations\{952F792A-172C-4F2F-88F7-C002F916C583}\NextUp-ScanSoft Daniel British Voice.msi

Filesize
86.2MB

MD5
10234110938540fce092cc515e1e1982

SHA1
900826136a7cb68e44accc650d2eaf563bc03329

SHA256
c8a22e33bcf6c12b75fe18a5651207c6f462c03bd5ceab56380c9e3b7b9974c9

SHA512
764b9aecfb892e2ae18bcb95ccdbefbe5cea0e4d20a969729695e495c99d08711f79ed1b16b8b59d983f7cf486597af121307eda7fcde31a74f65899f7463667

Download Submit
C:\Windows\Installer\MSI7F14.tmp

Filesize
76KB

MD5
9008ede963687a2e442fc1d8275e5830

SHA1
6f23d1785770fa55856bba0105514d5f759808e1

SHA256
1af6ff7a9ce239ea0fc6c6f9b4d45860b0d11c7dbfa35580ecd3940df3833fb8

SHA512
036b2088a1b74daf6cae428e976293c651cd15baaccbefb318a7eccbd7f7d88e649a074247c60b73c9a8b4609460a62024d1290d97b7a54da9527286a37d49cb

Download Submit
C:\Windows\Installer\MSI7F14.tmp

Filesize
76KB

MD5
9008ede963687a2e442fc1d8275e5830

SHA1
6f23d1785770fa55856bba0105514d5f759808e1

SHA256
1af6ff7a9ce239ea0fc6c6f9b4d45860b0d11c7dbfa35580ecd3940df3833fb8

SHA512
036b2088a1b74daf6cae428e976293c651cd15baaccbefb318a7eccbd7f7d88e649a074247c60b73c9a8b4609460a62024d1290d97b7a54da9527286a37d49cb

Download Submit
C:\Windows\Installer\MSI82DE.tmp

Filesize
76KB

MD5
9008ede963687a2e442fc1d8275e5830

SHA1
6f23d1785770fa55856bba0105514d5f759808e1

SHA256
1af6ff7a9ce239ea0fc6c6f9b4d45860b0d11c7dbfa35580ecd3940df3833fb8

SHA512
036b2088a1b74daf6cae428e976293c651cd15baaccbefb318a7eccbd7f7d88e649a074247c60b73c9a8b4609460a62024d1290d97b7a54da9527286a37d49cb

Download Submit
C:\Windows\Installer\MSI82DE.tmp

Filesize
76KB

MD5
9008ede963687a2e442fc1d8275e5830

SHA1
6f23d1785770fa55856bba0105514d5f759808e1

SHA256
1af6ff7a9ce239ea0fc6c6f9b4d45860b0d11c7dbfa35580ecd3940df3833fb8

SHA512
036b2088a1b74daf6cae428e976293c651cd15baaccbefb318a7eccbd7f7d88e649a074247c60b73c9a8b4609460a62024d1290d97b7a54da9527286a37d49cb

Download Submit
C:\Windows\Installer\MSI862B.tmp

Filesize
76KB

MD5
9008ede963687a2e442fc1d8275e5830

SHA1
6f23d1785770fa55856bba0105514d5f759808e1

SHA256
1af6ff7a9ce239ea0fc6c6f9b4d45860b0d11c7dbfa35580ecd3940df3833fb8

SHA512
036b2088a1b74daf6cae428e976293c651cd15baaccbefb318a7eccbd7f7d88e649a074247c60b73c9a8b4609460a62024d1290d97b7a54da9527286a37d49cb

Download Submit
C:\Windows\Installer\MSI862B.tmp

Filesize
76KB

MD5
9008ede963687a2e442fc1d8275e5830

SHA1
6f23d1785770fa55856bba0105514d5f759808e1

SHA256
1af6ff7a9ce239ea0fc6c6f9b4d45860b0d11c7dbfa35580ecd3940df3833fb8

SHA512
036b2088a1b74daf6cae428e976293c651cd15baaccbefb318a7eccbd7f7d88e649a074247c60b73c9a8b4609460a62024d1290d97b7a54da9527286a37d49cb

Download Submit
C:\Windows\Installer\MSI891A.tmp

Filesize
76KB

MD5
9008ede963687a2e442fc1d8275e5830

SHA1
6f23d1785770fa55856bba0105514d5f759808e1

SHA256
1af6ff7a9ce239ea0fc6c6f9b4d45860b0d11c7dbfa35580ecd3940df3833fb8

SHA512
036b2088a1b74daf6cae428e976293c651cd15baaccbefb318a7eccbd7f7d88e649a074247c60b73c9a8b4609460a62024d1290d97b7a54da9527286a37d49cb

Download Submit
C:\Windows\Installer\MSI891A.tmp

Filesize
76KB

MD5
9008ede963687a2e442fc1d8275e5830

SHA1
6f23d1785770fa55856bba0105514d5f759808e1

SHA256
1af6ff7a9ce239ea0fc6c6f9b4d45860b0d11c7dbfa35580ecd3940df3833fb8

SHA512
036b2088a1b74daf6cae428e976293c651cd15baaccbefb318a7eccbd7f7d88e649a074247c60b73c9a8b4609460a62024d1290d97b7a54da9527286a37d49cb

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
25e5d42992c53dfabe27dccd1d6f0995

SHA1
c24249972d5157c10b1679dd2a9e5ea12d65d95f

SHA256
14ba65915970efac67504f96186351fc9efd45b0fd7286f98483d1e936bd0504

SHA512
436acd5fc3128bb7d4acc0ad4af40192f34c15a55e511ca5c2dec1e59bb0fba3baca15d96a7a1a0419e90608b66c2c42e0017c26dc0dc441dff084c65fa3a5f3

Download Submit
\??\Volume{d26ecb05-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3d6e2ea4-8211-46db-a0fd-996729a33157}_OnDiskSnapshotProp

Filesize
5KB

MD5
3004f3a317298e9bd1b7a311a51b6604

SHA1
3b6396c74ec7bc90abf38e5d2c51ee6be91d37b6

SHA256
8bee2ea56a0ce62ff7adceab139b659e0994faa51529547d6017fc6c71b7f38e

SHA512
e47ea0b2b35ff2d3f8d7d0fc68579e9ab0b4227885edbb80e71d4e9b3b38a571d580c9ff4123073514f4a146c2bc95f8550882f94507f42a6c26ab0f406fa862

Download Submit
memory/5332-152-0x0000000002E30000-0x0000000002E83000-memory.dmp

Filesize
332KB

Download