bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624

Analysis

max time kernel
29s
max time network
38s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Size

2.0MB
MD5

d11bb9a351b16eb4613df4b8fa07d2ab
SHA1

571a6baacb8a76c605737a1f71088e6ecf4d8f83
SHA256

bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624
SHA512

074c6e15377823356fcf60f9476b3a37d683a6879a8565be2de67e42b522d90b9923b792cf40690c4c36209a335965f5fc5a17df4160f6531914267e09799c22
SSDEEP

49152:pRq/irm17kZf9bkl36XT5XT1EZzjv1ZL3ft0f149:TqqSdO9bkh6D5D1mzjv19Vk14

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
684	alg.exe
632	DiagnosticsHub.StandardCollector.Service.exe
872	fxssvc.exe
4944	elevation_service.exe
3112	elevation_service.exe
1744	maintenanceservice.exe
3176	msdtc.exe
4540	OSE.EXE
1812	PerceptionSimulationService.exe
2220	perfhost.exe
2440	locator.exe
4528	SensorDataService.exe
1252	snmptrap.exe
4120	spectrum.exe
844	ssh-agent.exe
3860	TieringEngineService.exe
2352	AgentService.exe
3836	vds.exe
1884	vssvc.exe
932	wbengine.exe
3712	WmiApSrv.exe
3416	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\System32\snmptrap.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\AgentService.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\vssvc.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\wbengine.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\msdtc.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\spectrum.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\39c32f4613a2cfe2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\alg.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\dllhost.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\System32\vds.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\msiexec.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

Drops file in Program Files directory 64 IoCs

Processes:

bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_132453\javaw.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_132453\javaws.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

Drops file in Windows directory 2 IoCs

Processes:

msdtc.exebac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

description	ioc	process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 28 IoCs

Processes:

SearchIndexer.exeSearchProtocolHost.exefxssvc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008751335d8b65da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000112fee5c8b65da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005fdefe5c8b65da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bc9e415d8b65da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

pid	process
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeDebugPrivilege	1128	bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
Token: SeAuditPrivilege	872	fxssvc.exe
Token: SeRestorePrivilege	3860	TieringEngineService.exe
Token: SeManageVolumePrivilege	3860	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2352	AgentService.exe
Token: SeBackupPrivilege	1884	vssvc.exe
Token: SeRestorePrivilege	1884	vssvc.exe
Token: SeAuditPrivilege	1884	vssvc.exe
Token: SeBackupPrivilege	932	wbengine.exe
Token: SeRestorePrivilege	932	wbengine.exe
Token: SeSecurityPrivilege	932	wbengine.exe
Token: 33	3416	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3416	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3416 wrote to memory of 3472	3416	SearchIndexer.exe	SearchProtocolHost.exe
PID 3416 wrote to memory of 3472	3416	SearchIndexer.exe	SearchProtocolHost.exe
PID 3416 wrote to memory of 3540	3416	SearchIndexer.exe	SearchFilterHost.exe
PID 3416 wrote to memory of 3540	3416	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe
"C:\Users\Admin\AppData\Local\Temp\bac748fad25075d320f06c3cb9cbe4ac2f6c74942add527a469b7731eb46f624.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:684

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:632

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2196

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:872

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3112

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3176

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2220

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2440

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4528

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4120

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2720

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1884

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3472
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
00ad76e8d5d904bc5381c3b71719c9aa

SHA1
e9827bb8d64a5a964c4cfb188d936479ef53744c

SHA256
afa38d96fe1a6f8e29a7aa9629780f343ed551b60abf24747e7d3248cd6ff41d

SHA512
e04688332a05b8ecac463b86c343fd17616c13b03b30b26fb898899ecd53b8b4ff1bd01285079ba7c0cf55f4a468b82f241b61c79713edf5e0cedcb9ef2a3564

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.2MB

MD5
d052d8430b3bb42d7d16b7d63693eb9e

SHA1
0fd2e35202257c89a7b0e4fe12577e6d190e074d

SHA256
0578b304d2c35530c3ac5dc42eb868cb5bbb44faeb10daf711aee44edf3c4779

SHA512
6c4aae7a4a383402040d7a08b4e95d7fef248c6194025f034627698da484eeaf189afed1bccc4b036cf0e3b76d57d7812cc9680cfbf438ae6dbc17dc9d992865

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
db6327d9a6e5a31891853c746214703e

SHA1
83475a2a2ec97d42538f9dfb7c3bf9db01ae7ffe

SHA256
8f90f334f6186d04907672286fd61844725fd2054123c46009b033a9819852bd

SHA512
cd277a4ced3eebda2db98d49d0eaa56c41ca8d0ea53a708e5be7b3d21eb826b288d15db84de96cadef209bc4429adfd13ca856c54cb2b87709e93667d20b29f3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
286bf7d52af5924991281c6972d02d11

SHA1
0accc89560221f27a35cdf25130a28eee28b1583

SHA256
748c45b3d02b77ba1d049ea2537ec43c0d2933e375b7e22f749e7dea82464052

SHA512
02c61cc72a342e4f92884ac4da89eb0e9f4e6b03fe67c976a85ea05269e2d1a2c33365d9a2d5cdc7b29129a04cdf3da8d55c66204395bdfea705a9b7585de7da

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
9287e8a1c31434b11e0e9ce0793435d1

SHA1
b05efb2fd66efa28bf4b73007d97a4f52b4e9aea

SHA256
9049aa08b0ddf02ab2418c7473af33d1ccdbd8c2e53d80de222a31397375e61f

SHA512
6fbbd01c7cbf52f99d0d1950169dd74a92e9d97350ac68b7d3fa118d20ed28aedc679e6929e45bc9eb73e48b822404f3d1051ef31036725680faa3cf609f7048

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
611d4274122e962b6d791cc8d4b51a3b

SHA1
fea62cf016adb9f868a33cdbb7f2cf7c6bc2e8f8

SHA256
2af0c6300d99c3e4873cad358bfe372550a950db3265159df3770475f5205441

SHA512
beeb3672dc1601430b367940287a0f590da6983265e5c168d46e18402ecfeb9133a6e851243582efedafa04e322f1d7c9a714cda55a0e927b40928dd102c0126

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
8c02a35cc5a4f876bbba08708f8df321

SHA1
511f209b7c02d268081d944b5e1e5753a5449988

SHA256
f4299353ef0156faa6728b025242c9a71dd55c27bc6e0404478daac7e40a3be8

SHA512
a0ef3585d79ed2daecaaed06c938114a099346cea21c1e7e01e70fe56390eeebc332007d2bb363dfb2f8cb6f6e8d033b71ff6baf2647de3ed4bef2f87911be39

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
512KB

MD5
377a6095ce8572a63509dd7c0c704780

SHA1
a926cd257927716aafdbfd9418a8692a4cf3adb7

SHA256
726fb038a9c14769f81e0ab3b178b7871124316da03fff5bc31466d35a224459

SHA512
ae6edf1db0b10ca67f8c70c57bf79a9a8b96e990b4a8b2483f159e59a0c597fccef8dd72b0ad8bcd5d15bf9d0dded785d51e6e3463ed458ced58bd3f4a5cc5f0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
56de2904d335c39d64e257eb4f66ecfd

SHA1
848ccf9aad164c1ef7b5ecc85fe2255ecd267d49

SHA256
1c692de9f7ad1a904d0e62e814acd71d79fdbc27eb03082a2516eb03fd40fa99

SHA512
25bcec550a2a988738fcad78173c5066d36c21f6e96961c507bed5b486080e5d24e273a4eb19dda48fbb48b99c698a9c0a75d55834a4f223c2b4fd7abdcd3947

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8405fdebcd08dfdd14b2b23bee4084fc

SHA1
15218a8fdc70aba936395eb40f73f4f1278a74bd

SHA256
1cba919435600439ee4023503b50a2d2eeb912cba0fd307f30e6298089d282dd

SHA512
fb6ec748123be903c486f4e6833bffc55753e1e33342a524def2ae3461a00f5a3151871a2eb09b06a017764ea969ff89a83927a7243d2aed272660178b79b232

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
db4b9bb7b72b4086d0ded35e999b5458

SHA1
26ed889a623695b1662d6b628278bc2971de67ee

SHA256
1ffd593bd639fd2e6a56aaf42b855fda50f3b7516405066cdd88974d239d522a

SHA512
e5fc2cf57c8c4b98d026ff3a6984e18009e924a0d6163ea361af8f5273f1aaf44e1f80e0d954eeb19509acca6df0cfc350c43896a97ba76861d82f51880d6367

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
0d747bb0c63bd40acce5140271295b15

SHA1
fb1d2e8461f6504dc6588d307164e361d131ba01

SHA256
d005a6565e1533d9bf502c8ce0dbea596e30d2ac1c7155e42a2378c9a76e3531

SHA512
39fa90373378990c5a7e10dc3428ef9bd78761275994e6f26f1f1bec2a970f063ac963d05fb37be46e600a4a2bf17f5a65f8fcdc31610c851299c32b6086c35f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
abb7b02d7b6f4716dbe1b5c627034cf0

SHA1
33792f40799a429a4d681f929ce8cdba549274e2

SHA256
f705b586ce80f64003d1bf3e79948bd57d71e5a4ac82498cd22cd69445ff80a7

SHA512
78dcc07bcb931ff7a4b1df0bcae5a7c3c4bfaef49b14b41c4ed177157aaa755e520ebdbec2ab8d2dd42a90c34a3b4eb3a618084319824a86e52ce296176ba145

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.3MB

MD5
3b9f6c52572fbf6b98fc04828c80e2d7

SHA1
097f1a7bba68470faad275e1ef8591f44e08045b

SHA256
4871ccb560d183018d7d072ef1a0bf1193373bb2af4cbf00b308618fdb693cb7

SHA512
0b7952166bfc0fa68dd07de646e66a09e1326a6680b7e9f15ae567140a1c30f5eded6332336faf366a89b391f10d4581f4018c49d961286598288c3718d5d333

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f2783a9136960b3d6e93fdd20faed43f

SHA1
41947f921fd63fdd23758256078433a2bf108c81

SHA256
501407e642acc3cbabeacc9383ccade57bee119184846d899d374fb431381212

SHA512
5d65614e5108cee8bad955fbe89a1e167f8b09bd0009df52f2232c73468032e0d1f4a399f9b03a688ee3afbe83b67e98b784c89b33cafa290790d6bb820b264d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
296ccf5e83b88d60ef6196b098465503

SHA1
515c50ae9ba5865c455b6d6a9f9f5767a9bb9eb7

SHA256
2c8533898d21328b3ea4f95ee5daf3038b2b2c4f3dbf0c0c717c5a7e823f2774

SHA512
5d7df3a1d8960dbee9a883c1dd48aa556666bf9581114b184fd6523c77328bf06b4b40f6e811ff5dcb6d61a3ae89be292141d32f195cdb47eaac4284516f58ae

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
44f2919200d0ed883991e54d1fa407f0

SHA1
4ac6f30776e841c194f2f79abae37ddb702a0376

SHA256
165c316a7e15162b9fe9c657c0afabeb6d3de1ecab66f4ec5028c3161c8c2a1c

SHA512
9b84edaf8db1841169672df8be16d600b2bbe613ab4df6256d398d8981a55292b7982ae59f5a964541ac15ac766c2bbbe9066a404837df29e06d72079d4e662e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
9485ff44ca92c009de397a17bb0929bf

SHA1
da900a07dfbb545c9bf11756d478800d38f4b449

SHA256
14d7ece3552ce3949d6a7cb57be09a206c2413d7b9456254744c69093570e8fb

SHA512
b6aefce65ab7af52a8c9d20321dc9ba4b31fd57e20e6a5f520d760e40e7809f9cc9dc8338d69bceefd7ca6829bdd77b0443f51ae278b1e35a4a44ccaa3f791c0

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
70fec1818c950b5f977a7073a41b9d4d

SHA1
1c9aecf3da45e83fc184f790ee09902134b3721f

SHA256
6a5a5ea0e545862267c89edbd0289f755234b0b29b2d61cb6cc803cc1044080e

SHA512
2956bd82f23cadb8214abe61fa369c8a4cdd05f0db3a53d3abd78a85cb6fb3bc2e9f89e05c32b732125fcc2e1a2e21f820f16f39f9c97bb0e0cec3f817118e13

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ea2b312bfa458f22181c9d87bc020783

SHA1
700f0a3a5b8d0ede6adccdad99933b68699780c2

SHA256
4944cd35e70d38838198f6b725544e74247ff6d3e99bdbf333a47e3262258aa2

SHA512
08a71021b922612912f65978fb17d73b82e039b62f26ec2d5b491009a2e019c2fcd2c033f0fc979ba7997034fa57be63b01ff834743db79490f12f1dde548e10

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
860edd4c3cd759ab08aac3baccde70b8

SHA1
d2af7d677f3e639da84444d0560aa5206b1a5725

SHA256
2bbbedd0dfda0846c15d820f194741040af0948958d7f77aed467573ba764215

SHA512
27cbfceea1cedaccf60191951516e91a38ba634283724d314b9df63759f0f6bb5dc895944b46b08bbaca4b13ce4792f1c994b00ab7b074ac6e8a5d992729e901

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
fded7ca6afe955062df3cfc5815c0632

SHA1
99c0e0c66b4901d75f67ac4b73002edd6b1355eb

SHA256
57805d677d50c60b28283652a31efbb8c32ca8427eefa8b63179b1230c4e368e

SHA512
c138198a133ed9cfdac620c31634d8cfdb27334ea6743d3dfaf97249ada55b623c402d76d2c5b39a2aa07ecad3e9ddb1edae87b864dde659d8352947ecaf268b

Download Submit
memory/632-27-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/632-69-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/632-31-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/632-22-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/684-23-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/844-182-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/844-173-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/844-354-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/872-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/872-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/932-201-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1128-122-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1128-35-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1128-57-0x00007FFE00AA0000-0x00007FFE01561000-memory.dmp

Filesize
10.8MB

Download
memory/1128-77-0x0000000021590000-0x00000000215C8000-memory.dmp

Filesize
224KB

Download
memory/1128-79-0x00000000215D0000-0x00000000215DE000-memory.dmp

Filesize
56KB

Download
memory/1128-51-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/1128-48-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1128-65-0x0000000002C10000-0x0000000002C18000-memory.dmp

Filesize
32KB

Download
memory/1128-72-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1128-0-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/1128-67-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1128-8-0x0000000002020000-0x0000000002080000-memory.dmp

Filesize
384KB

Download
memory/1128-44-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1128-14-0x0000000002BD0000-0x0000000002C02000-memory.dmp

Filesize
200KB

Download
memory/1128-20-0x00007FFE00AA0000-0x00007FFE01561000-memory.dmp

Filesize
10.8MB

Download
memory/1128-115-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1128-25-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1128-1-0x0000000140000000-0x0000000140213000-memory.dmp

Filesize
2.1MB

Download
memory/1128-146-0x0000000002870000-0x0000000002880000-memory.dmp

Filesize
64KB

Download
memory/1252-204-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1252-155-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1744-71-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1744-91-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1744-89-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1744-84-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1744-74-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1812-124-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1812-123-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1812-130-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/1812-181-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1884-411-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1884-198-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2220-141-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/2220-136-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/2220-142-0x0000000000700000-0x0000000000766000-memory.dmp

Filesize
408KB

Download
memory/2220-188-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2220-135-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2352-189-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2352-191-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2440-148-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2440-196-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/3112-60-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3112-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3112-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3112-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3112-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3176-157-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3176-93-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3416-210-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3712-205-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3836-410-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3836-194-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3860-185-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3860-403-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4120-209-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4120-168-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/4120-159-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4528-200-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4528-350-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4528-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-167-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4540-99-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4540-102-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4540-114-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4944-100-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4944-40-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4944-42-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4944-50-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download