2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
Size

4.6MB
MD5

5fb1d0fda1c40147101568c8238d144e
SHA1

5f677741141cf0ce038e10b5651117b911963278
SHA256

2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5
SHA512

d48089dd5e2d0890d14baec04e1bbadb789ba412729ef387864d216871d659b96099a3615a7fea86e889e1fec90b782c4bb5e6473a82c73b40d686221fc553d7
SSDEEP

98304:G4+PG8W44ij9RvbGOZUR241QZgC51B+PRPuCCMlwLv:uPG8W4HhbVURp11CjgJu6

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 24 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exeVCREDI~2.EXEmsiexec.exe

pid	process
2120	alg.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
3952	fxssvc.exe
4960	elevation_service.exe
3276	elevation_service.exe
3452	maintenanceservice.exe
3508	msdtc.exe
4484	OSE.EXE
4616	PerceptionSimulationService.exe
3912	perfhost.exe
384	locator.exe
768	SensorDataService.exe
2268	snmptrap.exe
2088	spectrum.exe
4800	ssh-agent.exe
220	TieringEngineService.exe
4508	AgentService.exe
5064	vds.exe
4888	vssvc.exe
1060	wbengine.exe
4668	WmiApSrv.exe
2068	SearchIndexer.exe
4728	VCREDI~2.EXE
4148	msiexec.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

5804 MsiExec.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5804	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exeVCREDI~2.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	VCREDI~2.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 36 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exe2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exeelevation_service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\60a7a35faa61dacc.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\locator.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe

Drops file in Windows directory 61 IoCs

Processes:

msiexec.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843619.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843666.0	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843353.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_a08a3e21.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80FRA.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Windows\Installer\SourceHash{6E8E85E8-CE4B-4FF5-91F7-04999C9FAE6A}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843384.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843634.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\Installer\e57afcc.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843384.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_661fdcb0.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843447.0\mfcm80u.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843681.0	msiexec.exe
File created	C:\Windows\Installer\e57afc8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843447.0\mfcm80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843619.0\vcomp.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843353.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843447.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843384.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843541.0	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843634.0	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843447.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843619.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_40f01e47.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843681.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843681.0\8.0.50727.42.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843650.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843634.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843650.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843650.1\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_661fdcb0.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80JPN.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843353.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_a08a3e21.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843384.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843384.0\msvcm80.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240428193843650.1	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843650.1\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843353.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843447.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_10d0c3b2.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843447.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_10d0c3b2.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE09C.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80CHT.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e57afc8.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843666.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843619.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_40f01e47.manifest	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80CHS.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2B0.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80ITA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843650.0\8.0.50727.42.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843666.0\8.0.50727.42.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843384.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_3fea50ad.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843447.0\mfc80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240428193843541.0\mfc80ESP.dll	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000828eb54ef8e6371f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000828eb54e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900828eb54e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d828eb54e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000828eb54e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exemsiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad4c1196a399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c2a5ec96a399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007efa0598a399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000046b9e096a399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec870c96a399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000785f4396a399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbc7aa95a399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000072e8f297a399da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c30b3898a399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005dfdc797a399da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Modifies registry class 45 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6\VC_Redist	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Version = "134268455"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\8E58E8E6B4EC5FF4197F4099C9F9EAA6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\PackageCode = "824BFCC8DA7C83E44A851335763B00A1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.42",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 3d004e00400055004b002d0024004c00640041004f003f00430033005900210035004d0040004a00560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8E58E8E6B4EC5FF4197F4099C9F9EAA6\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exemsiexec.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
4148	msiexec.exe
4148	msiexec.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4872	DiagnosticsHub.StandardCollector.Service.exe
4960	elevation_service.exe
4960	elevation_service.exe
4960	elevation_service.exe
4960	elevation_service.exe
4960	elevation_service.exe
4960	elevation_service.exe
4960	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exeSearchIndexer.exemsiexec.exemsiexec.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
Token: SeAuditPrivilege	3952	fxssvc.exe
Token: SeRestorePrivilege	220	TieringEngineService.exe
Token: SeManageVolumePrivilege	220	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4508	AgentService.exe
Token: SeBackupPrivilege	4888	vssvc.exe
Token: SeRestorePrivilege	4888	vssvc.exe
Token: SeAuditPrivilege	4888	vssvc.exe
Token: 33	2068	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2068	SearchIndexer.exe
Token: SeShutdownPrivilege	2348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	4148	msiexec.exe
Token: SeCreateTokenPrivilege	2348	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2348	msiexec.exe
Token: SeLockMemoryPrivilege	2348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2348	msiexec.exe
Token: SeMachineAccountPrivilege	2348	msiexec.exe
Token: SeTcbPrivilege	2348	msiexec.exe
Token: SeSecurityPrivilege	2348	msiexec.exe
Token: SeTakeOwnershipPrivilege	2348	msiexec.exe
Token: SeLoadDriverPrivilege	2348	msiexec.exe
Token: SeSystemProfilePrivilege	2348	msiexec.exe
Token: SeSystemtimePrivilege	2348	msiexec.exe
Token: SeProfSingleProcessPrivilege	2348	msiexec.exe
Token: SeIncBasePriorityPrivilege	2348	msiexec.exe
Token: SeCreatePagefilePrivilege	2348	msiexec.exe
Token: SeCreatePermanentPrivilege	2348	msiexec.exe
Token: SeBackupPrivilege	2348	msiexec.exe
Token: SeRestorePrivilege	2348	msiexec.exe
Token: SeShutdownPrivilege	2348	msiexec.exe
Token: SeDebugPrivilege	2348	msiexec.exe
Token: SeAuditPrivilege	2348	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2348	msiexec.exe
Token: SeChangeNotifyPrivilege	2348	msiexec.exe
Token: SeRemoteShutdownPrivilege	2348	msiexec.exe
Token: SeUndockPrivilege	2348	msiexec.exe
Token: SeSyncAgentPrivilege	2348	msiexec.exe
Token: SeEnableDelegationPrivilege	2348	msiexec.exe
Token: SeManageVolumePrivilege	2348	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2348 msiexec.exe
2348 msiexec.exe

pid	process
2348	msiexec.exe
2348	msiexec.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

SearchIndexer.exe2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exeVCREDI~2.EXEmsiexec.exe

description	pid	process	target process
PID 2068 wrote to memory of 3308	2068	SearchIndexer.exe	SearchProtocolHost.exe
PID 2068 wrote to memory of 3308	2068	SearchIndexer.exe	SearchProtocolHost.exe
PID 2068 wrote to memory of 3160	2068	SearchIndexer.exe	SearchFilterHost.exe
PID 2068 wrote to memory of 3160	2068	SearchIndexer.exe	SearchFilterHost.exe
PID 3192 wrote to memory of 4728	3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe	VCREDI~2.EXE
PID 3192 wrote to memory of 4728	3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe	VCREDI~2.EXE
PID 3192 wrote to memory of 4728	3192	2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe	VCREDI~2.EXE
PID 4728 wrote to memory of 2348	4728	VCREDI~2.EXE	msiexec.exe
PID 4728 wrote to memory of 2348	4728	VCREDI~2.EXE	msiexec.exe
PID 4728 wrote to memory of 2348	4728	VCREDI~2.EXE	msiexec.exe
PID 4148 wrote to memory of 5300	4148	msiexec.exe	srtasks.exe
PID 4148 wrote to memory of 5300	4148	msiexec.exe	srtasks.exe
PID 4148 wrote to memory of 5804	4148	msiexec.exe	MsiExec.exe
PID 4148 wrote to memory of 5804	4148	msiexec.exe	MsiExec.exe
PID 4148 wrote to memory of 5804	4148	msiexec.exe	MsiExec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe
"C:\Users\Admin\AppData\Local\Temp\2969d3646fd6bba6f94b3939c057a5a7b4443f94917b174df5644b7d90d195b5.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4728

C:\Windows\SysWOW64\msiexec.exe
msiexec /i vcredist.msi
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2348

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2120

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4872

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:716

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3276

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3508

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3912

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2088

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4424

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4668

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:3308

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4148

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:5300

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 481E47C2935157B3971A1231BC3C5726
2⤵
- Loads dropped DLL
PID:5804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57afcb.rbs
Filesize
27KB

MD5
cea7f1d2a2424a761c0ae0ac6db211c9

SHA1
d68d7a5609ac08378c26478d43b80ede9c8a80ac

SHA256
d2b9c061cbf9c990b0684514be798ddbe7b20fbdcdc775795580a9ebf17db75f

SHA512
3fb624c589b53922c4bb39870d33bd083b238d907e085b2e722d1a7cf0b13008911f26128a352f1d10b0543320233576b4c1e6dd66c86447cd8c165802c6fd11

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
d7c51e629c248f332e95e685e4dd2048

SHA1
e3cab47001acc83e712943d7c591e60adc864913

SHA256
0af113687c40737600cbbfb75ebb6d57f5d88f5583af88cf11b3c7252b6d95cb

SHA512
9373bec061b7cd94599c008fd966b0c2a9cfcfcf6942a51bb2965dc1dee2363e20b1302c59a493ad724b94ffc599177b85359648c7ea9e8602daf115a7825034

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
789KB

MD5
055a8d443417e9fc301dd47903cd12fa

SHA1
0fcc5a64a5c0190ca01b79ea19415f38b130e9da

SHA256
edcaa168954023cd706d741b992030737db80710728c49ba491ab8577beab670

SHA512
0168d01796bb2dea36b2e1e6e48e47830c134b7bb4f080bc9e3cd4f6bf78da4e16b07ec31a9b379e5d61dafcec9f7a26fbabfae396812dde91eeda0a99a16e1f

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
7730f3de5c5d9f2361bb97ce658b0a35

SHA1
889bdee1ad575b882991fcc59853c39c006cb1c5

SHA256
eef4bec6012f8c5b752ecfc9cc2b074a6ebfde5b512f7ce83304f8845c036fa0

SHA512
df150652a475bc8d5cfdb5f75c52eb78ef800a557dd3b470d7db6dc46b9063b343365c47727f1b599bc68e8589fbbbc0d45185a6e7bbec5dc814aa5b96f8c6f5

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
409024311ae229b4fb3c73253e8ef547

SHA1
c0e3753d3c21a77b7ed7f989a57d83c57c80c30d

SHA256
2800a3a150041cf4bd40051cc722612d75cb2e77e1ef7652fd86edd905904b0d

SHA512
6c41277b135f878c6a33a3b8ef7cf6ceb7a8d27685eb5e2096462f93b2d2d93470a32feca08b0b13bcd329d5b1698aab1eac399065794d10bf00a65e11bdda49

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
e6836d5fd66a67eefd01264bec9976a7

SHA1
c4c3fe08779fecc983d2535076c2c08c45362994

SHA256
14b58b65ebcba98698237e5b51a2d028caf6ba5245fe81bcf0cb4cb1f79c4703

SHA512
430946b2f0b2b1f61cbef60ee4a4ed72f0d471c3535d790a90c5ca401bb2c3d23859e9de09cc65a0f7b8a82fe1ffd25d11d06a50563368e25fe794383e2df545

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
8e846d9a3427db37b303be1d93ef47fc

SHA1
997a4efd8fe24d1403c0ef35b3f9496bef8c2973

SHA256
47419a79ea68ab50bbcff868e0f36cf6ef274c1f38c67817780013073e1a48c2

SHA512
c449d63df5b0c5527f47be9750e855125d29c8531e03bd6a7ce53b601c3d3ae65df6b94c2a44964d8d699ba175008af43d906392240b8ab20bd7d52b13abbefa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
80709fbf7fa180371bc2c4343fb65c5a

SHA1
c286438d8d792042e5fc04bc2818e6898ef482e4

SHA256
85f15c3208c3d7a8c1f84103475684daa030a22e69cea03627646eacc6037a99

SHA512
ad375f4bec638d246704ac1eabde36ce3ab702cc44568d5c00848e6b93813b474ca463d10250798f01ca49005cdabf7a966fb46c3be1efe85973a8737e7f1d00

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
9824d16d654ef4349aea9c2408f154e8

SHA1
51ea020514f02b837bcdf6e189a06545c08ef4c8

SHA256
cc3f2395bcf6d573ba01140f6e745b503ca528ea3e2cae75efa639556e272549

SHA512
f6d8c8441bb738500f584fbc8d4db1bbb3559e7580f438519c94420998d3d15d37792b211107de9a0b1d88247dc36ed36f63a4741a7ab2e51fc6022e6b5f735e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
b8dadbb28283752152049390cb248407

SHA1
6c97b4b01ba799fc7d3ed5e778dd2df78d3293a7

SHA256
703daecfe55cfe827a19498004c5ac563a6276ee68306fc4b2550f30e182ed48

SHA512
cbf04ca45f6dd3b905e44a34b9f8ba5eb44c9d0b7eb65d119e8d8ef914c24f6724bbc04b39656ffaab1e77247eb72423a91096c1f6ddc6b53f8d96c911035401

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
1c984bd8917a3621138fd78d27c080d6

SHA1
66a576c087d4ae45028d7ae822c40fb35c2d3bec

SHA256
61647b0571564210c500fec5066d2280b7aa11d30f3f0e6d7af2c40ce9a7c52c

SHA512
d825ab8fa060b7f5443befa3fd22315d252eb805af4003ae69b957be97acfa3a69d41990153008c77c3df2d4f285c38fc8b9e925a6ad3bc83dc079062f515e13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
6cae8bbd2e1d4131e1dafd269fd5628d

SHA1
292ec651195f31b593e3667ae33e2e06d84d151a

SHA256
4d43dd8ee621adc9cd0b4d0b6b1e4c450b475aba6b297483b6ac4a78150f761f

SHA512
1464c2d026e0fb3e9bd4629b0f7e8d99b7071fd1a6f2fd76536d7c93ddf8b34690fb81d989a01675cc6fdf48d8e0fa977d9daa947dd62d4194d600e8802468bc

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
920b8d7997a6825483ea0e43770fb73b

SHA1
b34777df036efde620ec11ada7bcb051436c9b7b

SHA256
cfdeb4027e3893f64ff471b48aed27d0e6258afaf414412226117fb97bc648e7

SHA512
c70328eeaf8f434e6e4925d85c9718b548cab37cb9336da0c467c93df2aa9cef2b6eb48f3f1d21d255dfc52bbf8df7b03c6d1e5818a45507e4347fbe38f9ec3b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
551b7aa0650e7b4bc04668ee71102eec

SHA1
3c14976080aa6fa210136d14a26a46b316e706e9

SHA256
1af5265612d9c28d2c9014fd89db159073a94f0a5f6447a5056901f004682ad8

SHA512
0659895816040de43b6c9f6c6e49b231e6110f985010d39270d4b4cdc656ca981fbebf264a5f811ba98e011967b009a9230bb65151aaf3abe4b8893339ed92de

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
10b7eccc0bde2cb21123fbc5f991ee11

SHA1
26de5f72895c8e0e8a5435dff361523d677c1769

SHA256
c20ebf12a3542ed4af05fe6e017f02f4f1cb2d8890b3ee7699f4dc52c4d68996

SHA512
d7045ccba89009ec5d173c95b633399686913adc6ec4ac17a80ea282be61e1f2ed42c605aa535d35938af07e885253c62403cc2883b1bb92dda1e1aad5a39738

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe
Filesize
4.6MB

MD5
c8fbb6940879ae498b60924da2c7aa2e

SHA1
9a377449d1a0a8ab53b44c44b1d64c2013e84f8c

SHA256
487163d8b126ad432255c34aa9b899c78e7801da313678a1a930d6a4234b48d0

SHA512
f5dcc81655f785ca85ae899b3fd78fea2375ca244a9c055d0c8c6a22828b3d5b0a7197f264045754141a8b4db58edeb0f6c68b32fa98941ee883dde3dbf9e47e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe
Filesize
4.6MB

MD5
f08e7b19a2d8c1ece27195f522aba7d8

SHA1
7b6b8e7fb90de860cc738935061027babbe3272e

SHA256
8501c16004bfdbb36c76ad72ee0433b58f5c89a82f9802356082a0dd38e74a9b

SHA512
0916a13fc4794cfc27c27a77066cd545532790660db3f259f3c000fe42b544a747d5edc21c50e4bc58b1b13a9b9f30e0c0c9c5ed6b125a12a343218dc994c6d7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe
Filesize
1.9MB

MD5
affbffe297b6aafe4268fa77e8517531

SHA1
200de2f10a09e95563f1c3aea24ca0e247981f5d

SHA256
2db8b747b3e48ed82b3bada1ef47cbd011c482eed102979d9901e7aef152ebbf

SHA512
e6098cef0e8d3e5cbac6110bf107d4318ae67a0a0eed85bd5f1480def35cf953ddb135a65f9c8890f12ad8e8db416dc03784252cb2576a9fac9aa03c763011fc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
Filesize
2.1MB

MD5
538dde9db6a03f8a8b7e17be5dd43ac6

SHA1
1c381c582bdc2d661aeb099d889ceef1942854e9

SHA256
8a50a29e204c1c29436aa8b91c35612c74c447c3b5675fae5ba81c77fc1c83ef

SHA512
379590bf2571dcc10a97654f1014cb24970178667e92aa039640129612bb5d96bd2ef00907d7ee1b174622ec96d5e79816bfbf1224f500294c5bdb0dadcb7efe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe
Filesize
1.8MB

MD5
bfee4c2e5459481fc604522b34ef1bf4

SHA1
f9357008e036a5727095e41c9df5842967d92128

SHA256
c572e3ad5b91d27b5a8ee3806e90e4e7575fdfbdfd9c618e8ae38879d1aa4304

SHA512
9f948dfce80842c8812bfb1cb6ceae3f567571ddd0c560a15ec0216d7e8f508a958801afc2b3956f1e79c715b36eccefda2d54d716ac4a19ddef1666c4cfc5ad

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.6MB

MD5
8b29eda8008e358fc515eba4fc240042

SHA1
9a36d1e73f4184180c9202da0a60481f37da3594

SHA256
347411c608f29d5d2c61a31f269a8a2dd2e4399dee9f81349a7c6fdcc5a8d1c3

SHA512
e4bd544712a29aa2c4dedb3fd01d81b0c401da1eee63727f13427650f21734784c6ce76b8d20a2c26b6370d9999bf04653a389216564e94f464bcfff45825fcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
aecda8b3e5bacb9cf5f9c764f9176c4d

SHA1
47cfe8a1292ada2ab2dd5224606027f898819d56

SHA256
4060c7574c68292ca1692e1475ea0c8d7a0b583f30aeb8fa23c4ab0016fda82b

SHA512
36b677646776a09bf276aced797b1b2462dd42c1baa5ea0cf349ade018c22253d0c82dd0b397c2a10fc9098e6b41652edf987af099312e07da7d5cce369e96a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
fed12f795df4fd2338fe2010ec5c026c

SHA1
a49cecd55fdaae33fc3b44ae7daeed460a573a86

SHA256
ffc8d5efb1da3f909fe2f5dc8122ca9b51e5493f0f0bc1108bfeb254f768dcb1

SHA512
693034ec764145ca04a71538fca122e4020c61df9a76ae3a7785aa5f618bd6328bc3ce239a2c4a2fd839aba4fc8b8f208eee225aef9a4bbc5e2a707fcbf960d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
cbbbb818f98fd0692d87dea236130a5e

SHA1
655e7aa234bb09f8d2e29ab7d7d6fd26e57b9775

SHA256
d74879d53919d2856fd802a38cb32838e2a0c48fe67f2292489cc9899217a80a

SHA512
b4ef38c9f2b30e3b2a9a57ecb0c0a6d15bf6b246ae4878deb39c3d8c93e683eb4f3ba77019157a8a7544e16a9f8ee96b7c601735056d468285f0ef27eeca6af9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
5141cad4cbb2bcffa89629b5b237c3ee

SHA1
43f860721e0f21f3ac2e3b18dac3231f1a7d23d3

SHA256
8de60055925310a20ecb1d1b53ac16cec6e5d3cb2c916775b85acfb90152e920

SHA512
683236232a3ba8a7be517f176893385e837a881a41435c751f2c64bda6481994b767c65dc50c4eecf05a199b8ae2dfc9fd1467591c582d352ffebf5df47f26c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
16286c8e9fbb3ac0d4dcd00d667aa867

SHA1
a10a95db6cd34f692266f712c576695d2bb11ef6

SHA256
3864a92dba5d7f9e1a2200e61feb117fb077a1ac1d7a1e528cfd94dcfea83ee3

SHA512
1b6e28186694a9a70899ce66311c88afb3832e6af2a5147e9b968c1a6c260e35d938d9521c859449fbe918735355bee063637625d4a4882d0a2006ed7c2ca2bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
11939b7bd46fd1a7c796559d01708b29

SHA1
8262b8e28505137b9cebacc84739321eb4bbdf4a

SHA256
72ad5ac41c3f857ec94dd48d41ce6e10204e429aef64136e96f00c01e22d8f6a

SHA512
efdc20b94057fe640a6064b0d8c9be2c18b91983adff31d30cdbc59994d00182c3561c2cfca0f1595127d27c4d9f877c9fe197cd340f5cdb0e2f5965009869be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
c1eb7f8b154152851c0f0157047dabd4

SHA1
2afe6b2f83ae5b3ff4954b30b3112e3fea73092a

SHA256
b6358e94dfa36ce17b8f469bfd49480aab99ed932f154b60dba96c71503cd23c

SHA512
79e43323319837314e6493f28f61d4736f2183eac862ea70813ef9530a2cd238a45610abf3088b26101ec64b67ec57fbc1faa16e7fd02d3e6c32c9dcced23e44

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe
Filesize
1.5MB

MD5
6159a6e696d1ca11e52a26ecaf68f37b

SHA1
387b103404940d1ce245d60473ac84b5607784e9

SHA256
e47f7773085729d1d4bed6a13f969b6152443884ac6fa77f5aea1b3bf13ac9d6

SHA512
e579845c8201c81cffced049ac9a3c71465845efa0409cc3bc878d6701550366dd1943953da5a29fb5230122bea92038b9fcf200a9ecd7e799dfff6cc0fdd009

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
701KB

MD5
eb3b743aa72b7bf2bf170dc246ef4cb2

SHA1
2cca1fcf3834beb7f43aa61b28da5eceda3e9e35

SHA256
14f9285054424fccee5829cfda1fba33cb56e5d91d627286ce43c22fbdbaa9b2

SHA512
78c2bd437c097d3f6b3e4eb7361a34d615c3e39de364a4bb88a51bbdec254180b97b3e54abecc9a78a2196e8be545c5e6ae507343e66d2316424c83dcada3166

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\VCREDI~2.EXE
Filesize
4.1MB

MD5
45109081338654c25e42aea404b7d40c

SHA1
7474003f1dffb4439381cb628ded660d28a41bdd

SHA256
00fbdecf2f47d72cdd20a60d685d5d0f56e1f5ec571a7e43eebe1b178285eb76

SHA512
cb89ea354aacf4560ab59ccbf1ae5f9d4913b0b4b6130bdaeb6f8eced7844c416875d0303e0f141165ca1681f6b9728d46a96fa44b3a2eb45616d904658179e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredis1.cab
Filesize
309KB

MD5
1f759e1b809cc291bbea00b43c6e9f74

SHA1
4038059d53fd925a9142642bbfd800e196ed888f

SHA256
044969556a9ff7bfeb95cf1cc30fee41e57417814192749a6e7b2820ea1803c8

SHA512
23682155c290c46c4673a80b6775f9e92ba1c855c4609454ed258d23f7a97cd5adff3a709a7348759755aeb941b71f4f13c7cd7288be4270aa772ef679774fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi
Filesize
3.8MB

MD5
fa135204bb6146fca799cf06d30c444c

SHA1
774b9fd7ca76502ae6c732432377d71dfd75a15a

SHA256
cd7eb3fe76c008e2af85cab033f620e04e22af941797083a5fb51e269bb8fcbb

SHA512
b2c20573b92766353db601a31d4409397fd5de3a32f9bde4b3e627b48c5b859d33c93f96ecb0c177eb16768f5dd744394857a078a7302fdf0f0e4f5d2543b73a

Download Submit
C:\Windows\Installer\MSIE09C.tmp
Filesize
24KB

MD5
7bfa56d222ecc4267e10c01462c6d0d9

SHA1
9b3236a45673ff3bb89df3e690784b673ae02038

SHA256
6eeb255e1d5333a7b4f1b62e36afa1bea5cfd6c7e32058bb3a9efebc4d9f2ad6

SHA512
10cec6bfd08a8b7cac1acbc3627cb014554ba71f44eb4bfe5b1471b81d6d292fd83a352d553af0de75fc1668a1f13d7f6f6c7bf1c6524117f363a3a7fc9b09e9

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
74c621053b39aa3b41f0330e5d6ec664

SHA1
8cc4d2ecca35d852857c6b395c7bdbf6e3e5badf

SHA256
18d290503eb6e4a5c7bb3b4575ab72ef8e003f56eaa7c5619cfb80253cad954b

SHA512
9a639212cc18e62977ea6655ae420f2713606d7a8b95121ed83b9b548b0d2ece3307e8cf4f40fe54ad75af0c8608d7e2fd612eb0b72df6aa2daa90be2ca9f4e8

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
3eb867375441f56983d8a86a29fd1511

SHA1
c7e5dfd635aead1a6dac91c1af50fe42d91e1387

SHA256
791938da3f0cd63c443fc5df440dbfb5c1ca9381a627c05c1e2e41d7249d454b

SHA512
6c8fc58224a620a70dd64332e21548a7e7eaf0d3357ddcf90a7a61aaf6f0b376d8bcce7b331e68d7412ffc1e44e8075c473cb527426d96c028a3e87609bf818a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
c35b6685ff81bc7b7f725a5b516fb3f0

SHA1
57c819c3cac33687745944aeb24ac731bea279ea

SHA256
213d2b616972fe976d93bd346aada7196babf008fef1a72cc2bd7fdef4611bda

SHA512
8f0afa89019f92c15ee95ddf8958ae96adbb880d4aa17428782bb28c01500fc53f9ac29bd3e76a004e68c56f09276495592f884850ffec8aadd1dd8eaf26aad2

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
c179e9fd39bebe6efa85366b2d8cafda

SHA1
038ebf2fcd961175c84c010595c1ce1ffacc65e9

SHA256
7c69723e2966bac0205bbd1021156450a5439c97c436400468ccfb87ebb91ea3

SHA512
cc647df38f3e28bfc1ed95acfac2e662cef387854488ad12b802cda3fb58c27dd4bc6e2a5267eb900401c6d7dedd9a4410acac59077b86a7c249dc120ef68007

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
5fc34766a036b213918115e3393afab9

SHA1
6233d3056685bbb45528ba468efebf63e4993e8b

SHA256
994bfe7531b6d883500d7e63e9fb6f8d5d9fc6cb9d1a87030d0326d395fbb0b4

SHA512
c6eaf498e112dc648c54798266a278b525688dd931b3d9eccb57d6da0c2c4e4cff29de83b0cacd59a76cde72f06fc848ce4daaad836dfc610f8d82c42b5b1a15

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
67f24f4dd1ba1bc87278e7e51fe1555e

SHA1
0f9011ba4a4b88201394b01bd56ebf910074d737

SHA256
68d63e05ff01b1ab8c73312899f7945af6ebe75a4533d8395782a3f11660bbbe

SHA512
98367d7076212a23bdc2601755db1a52049cc448859216cf8341a62d9b2bdd08808858b91a402a534ea4a890d7033e8dc303c416bae04042ebcc6107412b1b0c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
850f35411ef142d73865cb6d5c5d9970

SHA1
8af01f069a049a90611606667bb298eece87e56b

SHA256
d8394623ed520c5a5567ef5e70431b5f3b30d420887d8e4ecd0ce3ce6b84bfa8

SHA512
cae860c194d7f984e7274c760f665ccb9f4a531a123ceaa128609b8d2fb26a07f7563bf8bf91acd200e53ff231d39e81840174c1601b5633f7d45223b71585d2

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
762c4ce5052da0030b5a0674dac37b1d

SHA1
5017e599e6f4cdcb51b763e2d721ec22bda8fd46

SHA256
7941c1aa840635dee160da2bc57869a8dd19f8c3ca721456444acf32fcda2797

SHA512
f121d53e3a99ecc9627aacb269b06bb267c795dbb1035aacab40564e7d9f48f1513e205110b421f22bee7deed7a14583b4f7906fc63ad61db8ed0cec889dabf2

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
8718cd7d98a7c87a6bf89e71cace2972

SHA1
e61d74af008dce9e98e18d109ecbdbe97e36211d

SHA256
70a6640b2eefff3ee055d1e95eb4a75cc81f680bccf396bdc8b3e641ef0e96fc

SHA512
d8b6d0d87848d5a227c5149a50170d3c77bac1a2ab8953eccb8673c2e83f03d20f99f7ff22e0e1ee84cc868eb523253901e5c0c3d9ff69c24da16832d44fb6e4

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
7e14ba8aa00d47ea57a5cc93e020942c

SHA1
f532cc9569b19023c0598001223be857a394bb0c

SHA256
f4db6488d9140df1a30f239d622b6548d456be13d86214aca8c2f70e20f9dc39

SHA512
b8b1e55a4b06e4a147a6c4b9ff4f0647a7d33ac1c9834652e571662324aad6e9776fe59fe39fb7bc642514677f832086609a87faafb42e6a3ca145f9951b6fd7

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
02ce668c4d11a22abf7567db20d87ae9

SHA1
a7317f9bfda581a9df42031250cbe9a112f4fe24

SHA256
14b27d8a085db7e15edca3c499c8902ad777b05dfb4eafa8a1d0fb0b10db6d11

SHA512
828a5b45259d6844a67021fb5a25a4c0857ae7a89dca60dd0fc755492422f925ad98acf028af026d1b8745447a69e12b43ef865f85f2c81910e499335528c426

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
c9bc6c5b394f81435fc78d7c7130db46

SHA1
6ab51a9d669c706e7bc84815098e3260958a1b32

SHA256
54ebec2bbd662b1c3bc9e9ff4ac3d93cc75d21abe8224663b26c551d7817402a

SHA512
74783c8d96ef2ce9224c78827cfcd79e3db13f4eb9cc8afa0d5233e5d794229b68deb04b38971926f10e3ede8d2077bf3661f414daf030c7a068f8cfa7ebcd9a

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
21229fbd67a5ec960d91571c76b63363

SHA1
5dd3ed769061e3644e72752016f49bd414a944a1

SHA256
0687406daecbd622b06a3599cd1f270c73f302ab713f330ce3c9d9c4cfc6cd6f

SHA512
e5e62152dc144328333b1a26748b0119db8106d77dcafe0e82fae7693c89fd8703c6ea90088ea419e06e8b5f9a43fed771f62f08257ff1805815460836914aba

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
f45d5e5c6ed66f1bfcafa18eed067583

SHA1
1c983894812183b96114e17407a9513ac87562f8

SHA256
508e92f668f0e34a1bb1ffe1bac4e38d22a764fee527526f7153b3d872d93bb6

SHA512
e3df4ee30966904c6359c1c4a0e8412c120acd9a2bafa5589e3e68682de6994a3bdc226f0063c6256e8702f1a3505dc666ed29c8f922accfac7eca14c97ec3be

Download Submit
C:\Windows\System32\msiexec.exe
Filesize
635KB

MD5
f57d2c835f36c6bbd34e66ff7ef6589e

SHA1
cc157c78d62c9471a05df68853d1b9748f383dab

SHA256
be8edf7d74eec6aa3cb9a52e0d770bf46dda038140789ea6364fded6ff2266c0

SHA512
10d5f246490ec45d51e268a393214edec10f0b11f6d88de07a911c6845c7382fadb6303b08e2836972a7433e2212ec8a52266a8e880d01bb4d079b7d3018d7ae

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
a5ba3d74967f33a781c32259422913f9

SHA1
d2eb6e2222cf294758f3264b96c4a9b854c53930

SHA256
8651717f25314a9b5649fad35d56c281bde60e9a9dc19984653c01270d647d19

SHA512
95ae3363e9634ba619c8ce9ac9323f787d0ea9e447819d86ca767d7dbd88152d5aed92b41da92e9fb79b07c494eaf77e70cede05bc111fec1fcafb214b190334

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0d867e5ee55219ba6744ce3ad339544a

SHA1
dd0517b03cc7ca51cc3c1c6c029144454dc6a4b3

SHA256
4d75e0f4fd7ed0f4bf59c6a3fcfdc070123e0ab091cdb33f3af89c6490340eb2

SHA512
2b00271becec685bdb042ed69662c49b95e9219cd40696d100e8c855e3d7ecfb96bc87a2c2fdb7f056dfb1b555dc44b4209f7b57881f575941da6dba5747b722

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
b8a9a66e73d88dae1975d69f471514fd

SHA1
2db8352b20c7a0b52f6affaadba0e22b73b24ae7

SHA256
9a12c7e3ab98f8b81b985b6a3d86b75fa31d565157e6a1e9a45cf1ce4577f842

SHA512
159ad97fc95f03be63db082e73a5c20cc4a240d620b556678710ad908fa7fe0445500d206e501e8f5c9f8f32fd7063a4a8245d9b101781f1f19771a0f19a0ac0

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
63e90fc65b0c489b9074ab2e240bf587

SHA1
57db8eae1031c2e6e148bb319c94ba7042692a8c

SHA256
1b3b78663d95f080d699586fea9dff8e0f06cd38a5d1e798a6fa1172e9db9438

SHA512
04c023e86e37725952117d002b6c86c4b64ec09db5bdf5a4b74e8beb514dd7438963641e6ed35f34eeb868c1a0b8f754baea9113a94e4aa8338acb8d6454df50

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
c8752e50d85060371f7a6f13c997962a

SHA1
15238cd3e72cbba46e0b920603a52841d170cf16

SHA256
fb3e3a6d259db11eacb0be2036a3d62b631d723b6333a29621523a56035205be

SHA512
533233a8fcbf6ae5deff9251a710b7123d2955b3ad21f5688ba8f0964e34ec91d65f931bda0e7af6b0474aa3fe016c8eb1884473c3085b5359deb426faf37aa2

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
d9022bc12b53f449c4946e30b6939881

SHA1
1476e2e44553aff102b8aca0b35dd227a342d77c

SHA256
41e7f3f8c30c35eb29cd0a3f012efb16a6a01ca7bca8556fa92b41aefc2a5cbf

SHA512
0b652955dc68679b16d63deed39e09a30d89c2b43c13492179da7715b0e2f48050bfb770324a32329d3cc133e421dd7bba0ae373a325deab96256cef296e49ee

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
24.1MB

MD5
c00cd78b866b2d5a3c987f568e0800ca

SHA1
018b7b44a3bd04dcd4658b8233f875dd23c4ad3d

SHA256
3496f075c405de71acd232eb49eb1c1709d377e49a8f2fc028cac9c7c6009ce6

SHA512
f206a6c24b7db3a5ebf538545639e1309b5bd720fc895b1c9d2e8b1deb89965de13e18ee9f53bbe3a4b0a42d50fdbb8cda4592b7214d98fd22d4418f27b94adc

Download Submit
\??\Volume{4eb58e82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{19f69b09-699e-464f-abfb-b2baf61d0d2a}_OnDiskSnapshotProp
Filesize
6KB

MD5
3885c894ce022ad1177bafd1bf2bd6a7

SHA1
d92c0a0c3f6c2cda0df428c2f5aeec6489c67004

SHA256
cb5cde2da0da86c522f7da0a5d477136875578a1b6643954bbba3cbc2fe87479

SHA512
2a0d47bfb62cc2edd25506a527ab9ea108c52e696b9c50c3625cab31e2ca1d7445eb6f8c550148879675a41c54deed1724f88e0ce63d91438f8d7b41b8580321

Download Submit
memory/220-148-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/384-150-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/768-530-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/768-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1060-168-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2068-543-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2068-170-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2088-146-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2088-539-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2120-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2120-331-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2268-145-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3192-0-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/3192-699-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/3192-8-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/3192-142-0x0000000001000000-0x00000000014A6000-memory.dmp

Filesize
4.6MB

Download
memory/3192-1-0x0000000000740000-0x00000000007A7000-memory.dmp

Filesize
412KB

Download
memory/3276-532-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3276-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3276-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3276-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3452-55-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3452-62-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3452-66-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3452-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3452-56-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3508-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3912-101-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3912-96-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3912-143-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3952-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3952-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4148-536-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/4148-562-0x0000000140000000-0x00000001400A5000-memory.dmp

Filesize
660KB

Download
memory/4484-92-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4484-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4484-79-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4508-139-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4616-83-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4616-89-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4616-535-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4616-94-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4668-542-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4668-169-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4800-147-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4872-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4872-412-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4872-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4872-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4888-165-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4888-541-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4960-39-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4960-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4960-33-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4960-531-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5064-540-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5064-149-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download