d9b20209d1732768457a9e7a42a30e4c8732ab0fd1f75c12e7bd5b8e4ba96f11

Analysis

max time kernel
15s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2023, 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3c3a0b9e2637af4d73654ec1e8937d0.exe
Size

1.2MB
MD5

c3c3a0b9e2637af4d73654ec1e8937d0
SHA1

4c99b6e1fc940304e444637335868db8d51a47cb
SHA256

d9b20209d1732768457a9e7a42a30e4c8732ab0fd1f75c12e7bd5b8e4ba96f11
SHA512

7d28914f25d08a8b1571457a44390550439afca887c7cd562d36aec6965f4e9ea3db0e5d40afebdbd37622b11aa47cc33631a51ad72fcb5d0f13d61502a17526
SSDEEP

12288:QutlnybqL5tml0aTcMjN12xdUb6pSsFQHNP51lK9+Prapve43kT:Qutl11tmlNQ2OnBdFQtP51llPup33kT

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2948	alg.exe
2924	DiagnosticsHub.StandardCollector.Service.exe
4988	fxssvc.exe
2008	elevation_service.exe
3756	elevation_service.exe
3264	maintenanceservice.exe
1784	msdtc.exe
2756	OSE.EXE
4504	PerceptionSimulationService.exe
3588	perfhost.exe
2980	locator.exe
4304	SensorDataService.exe
800	snmptrap.exe
2888	spectrum.exe
4848	ssh-agent.exe
4256	TieringEngineService.exe
3888	AgentService.exe
4544	vds.exe
1804	vssvc.exe
3020	wbengine.exe
4152	WmiApSrv.exe
1184	SearchIndexer.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\31f8958d9bbff8e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\System32\vds.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\locator.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c3c3a0b9e2637af4d73654ec1e8937d0.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3736	c3c3a0b9e2637af4d73654ec1e8937d0.exe
Token: SeAuditPrivilege	4988	fxssvc.exe
Token: SeRestorePrivilege	4256	TieringEngineService.exe
Token: SeManageVolumePrivilege	4256	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3888	AgentService.exe
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe
Token: SeBackupPrivilege	3020	wbengine.exe
Token: SeRestorePrivilege	3020	wbengine.exe
Token: SeSecurityPrivilege	3020	wbengine.exe
Token: 33	1184	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1184	SearchIndexer.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c3c3a0b9e2637af4d73654ec1e8937d0.exe
"C:\Users\Admin\AppData\Local\Temp\c3c3a0b9e2637af4d73654ec1e8937d0.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4676

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3756

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3264

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1784

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2756

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3588

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2980

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4304

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:800

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2888

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4708

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4152

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  PID:4012
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a59710fbc072aaf76b2cd99ec8a2cef3

SHA1
c08551ac5f15feb0b8f75ef5fc9e55bc8ff644b1

SHA256
96185ec415e1e1fc24440cbdc3f7b81e80dac3c7e84755cf8f8c60218e4a0249

SHA512
cf79a9b1654fd4b7d61750643511a23be3145e47c61cb6eea52d05ee3bf8593613e38a3e7f98ec9ac04eb030935ff543023b631d9d7f2a8e187e74d7897ead68

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
723db8e466e569dc815a384e306a3799

SHA1
fd4b9b8212eb9067e255e7c348b2776be3f86faa

SHA256
a516b1fe76f63d0329f6630cfae00d7028b5d45c95de429d17a5b029bd8eb7e7

SHA512
3620c9fa9f2b6f1fd835978c2d0e3e34c38366eec2572fdf27e4263f1ab7907ae6780ff6baaa35b81f9a41eae637f2e9745e032407fdb9fe807e30002e0f73e7

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
774d5ba28e57f6c1736136fe8cc42d55

SHA1
ab3824c4b7ae794997d34f8ccf084b620e6dc52a

SHA256
1cc1faed0eec7109b71156ce32acc8d376f779defd40db561f1e56e4a53e667a

SHA512
fb5a312da9cc0a0d2386536357a0fa985c0daf433e298987f721bd47d438115740845838d629674f77ba52bce427ae3ac7dc0d8a7562ac4c766eec80c9ed1aab

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
8df467872012787be009e60164a7f7a2

SHA1
0b53710728ee88b023a058405807bd2111910037

SHA256
cf4f88f0de8e2cee5b615222eda06781f46b1815ffa140994b47b36b8affd580

SHA512
9087254e15021e5eeff77e6b2dd35998e00d04f5fde4724ed19ee9d191cc51ab9ba6221a444dab1282fbaff363073ac1c0ff39c9bbfa0c09f61465dd14a988af

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
df6cf216a2ee99bd877fb0c3bb039713

SHA1
6bfcad6a0ae62551ce8819b067f8425c6ccb3710

SHA256
37f4e26a708f222f0c96382ab7a35b717a75d35f598bb4e4fc365e05c6f9cf16

SHA512
5109a895b68ca25ae398847dd61f45f78482cbb57769c9704a321c17499cab4340ec32a1e8f611c97e2df527ed5c6d526da614c24315536dfa7f647ebc28e98d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
942edeb747e31525f3df18c225fd5562

SHA1
34484d6ab00449ae7acf7429c6ae132076cb2393

SHA256
c6cb70c33ea7237482bcfd3deb81527809e3b0831c74fbe2e9b6bb387c8e2f0d

SHA512
9e69f8482ab114af8989dcf333b6e7582a9b5634bba046acb938e21460d9b2d331fbe4a6ce909a68f36316f7bf56b2526c5085ce149bbec6e4cb09d24f643f08

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
72dec8edf462c6544fb357aa213e1c2f

SHA1
a39ef50ad2d807a8dca1eec066e970e10e1e4cea

SHA256
6699170f50e53a084f11fb56787e0bb03dac16bae7db9b06b5c0b193d3b2efe2

SHA512
1c42b6975add2d09985a65b468f14f3164d84257c8e062de144d15b160ae4ea6fdc149ea5db934d3f293910f214498de85b333e9a97d9d481598f86b86378a0a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9ff4a1f3cfe5f40ac9d28b77763d8a66

SHA1
1a313af2e677cf530ddf7443fe80a6102310eb28

SHA256
981b722f857af3a8b0d3316906d586c0d2766c6d0b9f39fda50c6d8b53cc43e0

SHA512
5f78666c5000b42e5651755dd8913234d212b3733424a31c9dbf7ef824abaa370b3b290c49dce67b02278d13e8da35e1cb00f8853c4b7d41b083c38ab0652bab

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
65ff47991bb6c73c4fd4a501ae328b8c

SHA1
c5c987b0bc2e7190afd1b90e7d9c2751af935558

SHA256
ff34966dc0e5b658398b09a497df5ae20e3b45caf7d0246cc37f8e83c4559b4c

SHA512
b03a6ee5a9b8927b1cd5576436181b556e7395a5e70034d4d949bbacc3340e3224f808ad3aaebe51ffe31cb156b92096b3902105840cbaca383c603bed430a10

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
783828e6c4d8f2e97f740be004a46645

SHA1
dd3d72f8e3a1147dcb37946b3b21126afe4c0242

SHA256
316e204b094b5cf2dc4b16dd2e8fdbfe3dcd594b405a31d7a7c4db10d07afef4

SHA512
b7927845a86d60f99f155a5dd5f7242a3830ba1270f049f410e3558b7a403a2c19ec4b824a18150b6aced0dde9cd9061f8c49530ded11ec8d1a8d349e0af9ee0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
783828e6c4d8f2e97f740be004a46645

SHA1
dd3d72f8e3a1147dcb37946b3b21126afe4c0242

SHA256
316e204b094b5cf2dc4b16dd2e8fdbfe3dcd594b405a31d7a7c4db10d07afef4

SHA512
b7927845a86d60f99f155a5dd5f7242a3830ba1270f049f410e3558b7a403a2c19ec4b824a18150b6aced0dde9cd9061f8c49530ded11ec8d1a8d349e0af9ee0

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b940c660db3d6e7ca294d3e7ef6a9358

SHA1
28be1577a1c2f202c88b4fd52d92f2d97df331f9

SHA256
e3e69c8a21c87513216cd9b8386b4ff3e3fac9ccc8bd2c9d5127f82661fc866b

SHA512
dedd202fb1fd171b075a207cc63b2fdc66523bc3414bfa9cc0cf7c3689bd1051e472c9754a76b994548f0300626995c70f4c30c0104ea334d3d4da3091383450

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8e7d1a04561f765453691eb3e4af8a76

SHA1
1b0e742b3fd3b0b226f0fb84c6a90f4d9249bdb6

SHA256
4a0670330fcff2b2ba0f366fb93bb25b754bd33737225b77747ce81757cb7795

SHA512
885534bed94709362d78c113ebbd4b4bb52f6802981538f5e45d12cb3e47f83408a60e87efa5b5c999e345f507b2928b1174cc6bb7b483b2add7bf46b13e28d3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9b6007986568d27ca6366ac3564e1631

SHA1
b934b5909af837f9ab672595bda2c8b2570ae57a

SHA256
a975e1a28451193b65239c153ea8c1efc4787cd7fa4716fd3978f1b7c12ff7a2

SHA512
ff086b66683117cd6200dd6285678a2a9c314492189842686c35c648519cfa005d38fabb52672086d6b18b8fc3f8e7ce6825c953ac2f47b0f77b169c343e4999

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
619df72a954bf79944af4a181f562bd6

SHA1
4476c51f13073ce7a19c384491c471fffaf14704

SHA256
bc88597c3ad8901954e7585f4a4686c4eda73fe7326a6c8e3538d60b17ffe5a3

SHA512
daf7b56ff634fb6b857b51e3ce1d8ecd4fbbd0ad5f3a9c430b90b4868b0129042ded1249a0b48006341f54fcd23ea886ae0c1ee9862482f91f32a961c6099c94

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2c0670edfa1976cdb78ed27f7b03799e

SHA1
d718fded0dd90f20e269ad0b41e9f690a01aeec9

SHA256
95e639ee06e289720268168fbd4b808b9e30810935fdbd79d1bab5a6cf798883

SHA512
026961492f297e48274d599198a22bbc4e096c2aab9282a3b89388bb7555e2bc008b6b513c224d239bdba1a873426305d7252d96be8d7bf79f871f2abffb57ca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7d707926c027180d4ab5cfeb8e7091c4

SHA1
d50e5e49236b97507ac5572566d72982eeaf0a20

SHA256
6c26f9abf6a3417a329d9180aa5ec84f588da90675fbed20bc1b505027427014

SHA512
b8bc658cf47890c2173033e1487a69fb0012dd717eae09eff845e3ac8117e2b93451b689106df7870abb091e99b666c7a94adbe6a36daa5a3355685efe17f5d4

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ebe07cf09526c368cbab08d30a05c40d

SHA1
e3ed910423df9eea5637a9b2e908799d3c9f4bb2

SHA256
8a41212139515a21f088b6d2c80b4f2817a52888b1ef3a6d8fdb184283b0b0d9

SHA512
b3cbf8a19ee96b2297f0fdec968a902d463af09c5a311e86be5d75ed065f913941318e5be93ebbb312994f9cc12f343858ddd64c9526fa6df94f22d75a29abe0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
5127dd698f7d1c2e81d9fc81d2239afb

SHA1
abbcf0536248491d0a84533cc396223b1b299a13

SHA256
53b0d442a35cfc9b85a698b854dcddd1c6727d65ad0bc26197b0ba0cd7080891

SHA512
b7f580be8d4391cf34d93ae022a2485eb68f6566a6dfc4af6d011f8d707d4128b45371540146a5a4a0ad2e85cb65df4a4b9368a12a6455c53acaa7aba70b2999

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ad2c0f3984f32279fa25de520936a7ba

SHA1
1882d78ab3b0ce677b316814439df072ffeccc86

SHA256
fcb00c8b76a96a310d349c1d4420e6685360b7edf52ad00d194b91898b68e150

SHA512
d2e2673eebe67cd8c54162e0845423c15d0bb2df956507ced94a5514297f203dab735a22204cea39ba3132fcaf1d1f1bf5166b5199f45b8d7298528bb4176bea

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
79e69547622bf584274c9b559ac81480

SHA1
20403be1be9d8f4f52a4660c013cd22082229b44

SHA256
bb4553f946e5c963bbc4236dc513460f94d81b45ad983b3ca0fbdb3411548ade

SHA512
012a45de8cb06e20fc3c561e7c1235cd22b9584e838db5e87fc13a44751f47687495e5e93040e211375bb1877726db3667d05797c69da41ee3f145f4c16d98c7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
18bd8974f8c8100da33a06d7bfac49d7

SHA1
3620c877afcee636c117da14d0c5c8ca288a61db

SHA256
95cd004ff38f2820d0cf9d6efdd77417128b3321c8a28855be1d8216306ea82e

SHA512
c5098822b295bf5f165bc8d69d4d028a449d7a2e3d5e94370b669a79c450384ec70e46519f26947924c08631290e43fa345a22834d507609152ee718ae69b68e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
24be8be4d1e39405106268bb6a8c2b96

SHA1
929eb7e3de7ab88cdfa3e309b43ca6487a73e832

SHA256
6f68b4569f151561c728afcb63080d25104d104446d901503fd620ff6f95fc1a

SHA512
fd9eeb1e68194dc32d59fbd73d4ae801f449340f9f24495de7274b61bd532cfe652303a2be619a444357e415b27939b16e455176664739d0903b678997e5bbf4

Download Submit
memory/800-172-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/800-125-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1184-178-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1184-341-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1784-127-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1784-74-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1804-297-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1804-166-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2008-39-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2008-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2008-103-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2008-32-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2008-40-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2024-346-0x0000017FD37C0000-0x0000017FD37D0000-memory.dmp

Filesize
64KB

Download
memory/2024-344-0x0000017FD37D0000-0x0000017FD37E0000-memory.dmp

Filesize
64KB

Download
memory/2024-343-0x0000017FD37C0000-0x0000017FD37D0000-memory.dmp

Filesize
64KB

Download
memory/2024-354-0x0000017FD37C0000-0x0000017FD37D0000-memory.dmp

Filesize
64KB

Download
memory/2024-352-0x0000017FD37C0000-0x0000017FD37D0000-memory.dmp

Filesize
64KB

Download
memory/2024-355-0x0000017FD37E0000-0x0000017FD37F0000-memory.dmp

Filesize
64KB

Download
memory/2024-350-0x0000017FD37C0000-0x0000017FD37D0000-memory.dmp

Filesize
64KB

Download
memory/2024-348-0x0000017FD37C0000-0x0000017FD37D0000-memory.dmp

Filesize
64KB

Download
memory/2756-82-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2756-136-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2756-89-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2756-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2756-90-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2888-128-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2888-138-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2888-177-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2924-16-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2924-17-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2924-23-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2924-80-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2948-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2948-73-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2980-117-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3020-312-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3020-169-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3264-57-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/3264-69-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/3264-71-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3264-64-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/3264-58-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3264-65-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/3588-158-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3588-112-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/3588-107-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/3588-106-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3736-7-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/3736-6-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/3736-1-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/3736-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/3736-56-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/3756-44-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3756-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3756-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3756-114-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3888-160-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4152-330-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4152-173-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4256-155-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4256-265-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4304-276-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4304-120-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4304-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4504-150-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4504-94-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4504-95-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4504-101-0x0000000000B30000-0x0000000000B90000-memory.dmp

Filesize
384KB

Download
memory/4544-287-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4544-162-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4848-142-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4848-152-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/4848-233-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4988-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4988-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads